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Summary 

This paper explores goal-directed proof search in first-order multi-modal logic. The key issue 
is to design a proof system that respects the modularity and locality of assumptions of many 
modal logics. By forcing ambiguities to be considered independently, modular disjunctions 
in particular can be used to construct efficiently executable specifications in reasoning tasks 
involving partial information that otherwise might require prohibitive search. To achieve this 
behavior requires prior proof-theoretic justifications of logic programming to be extended, 
strengthened, and combined with proof -theoretic analyses of modal deduction in a novel way. 
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1 Introduction 

This paper explores the proof-theoretic interaction between the goal-directed application of log- 
ical inferences and information-flow — that is, the possible connections between assumptions and 
conclusions in proofs. My own starting-point for this exploration was the result of QStone, 19990 , 



that intuitionistic sequent calculi can be formulated so as exhibit the characteristically intuition- 
istic modular information- flow (as underlying the correspondence between proofs and programs 
[ ]Howard, 1980| ], for example) while nevertheless allowing logical inferences to be applied in any 



order whatsoever. This raises the question whether it is possible to enforce this kind of modularity 
incrementally during goal-directed proof search. Of course, the well-known flexibility of deduc- 
tion in nonclassical logics [ pitting, 1972| , pitting, 1983| , [Wallen, 1990D is ample motivation for the 
question. 

1.1 Problem Statement 

I begin by delineating the focus of the paper more precisely. I will work with a family of 
first-order multi-modal logics in this paper. The generalization from intuitionistic logic re- 
flects the utility of more general ways of structuring logical specifications [ JBaldoni et al., 1993 , 



Baldoni et al., 1998^ , as well as the broader importance of expressive modality in practical knowl- 



edge representation [ [McCarthy, 1993| , [McCarthy, 1997[ |. Qualitatively, what distinguishes the 



logics I consider (for which formal definitions are provided in Section g) is that they permit 
rules of modal inference to be formulated in two equivalent ways [ pitting, 1972[ [bitting, 1983 , 



Wallen, 19900 . I illustrate the alternatives for the case of S4, a logic that we can perhaps regard as 



the pure modal logic of local and global modular assumptions [ piordano and Martelli, 199^ . 
1.1.1 Structural scope and modularity 

The first formulation of modal inference is illustrated by the sequent inference figure below: 

r* G,A* 



□ G,A 



Such inferences set up a discipline of structural scope in proofs. Read upward, as a description of 
proof search, the figure describes how to accomplish generic reasoning about a modal context, such 
as the conclusion DG here. We have to transform the sequent we are considering, by restricting 
our attention just to the generic modal statements in the sequent. Specifically, F* contains the 
formula occurrences of the form DA in F, and A* contains the formula occurrences of the form 
OA in A. The effect of the transformation is that we move from our current scope into a new, 
nested scope in which just generic information is available. Figure [1] illustrates all the structurally- 
scoped S4 sequent inferences that I will draw on in this motivating discussion; I refer the reader to 
[ pitting, 1983[ [Wallen, 1990[ ] for more details on structurally- scoped proof. 

The ability to define structural scope is intimately connected with the ability to describe mod- 
ular and local reasoning. In specifying reasoning, we can think of antecedent formulas in sequents 
as program statements and succedent formulas in sequents as goals. In modal logics with structural 
scope, a necessary goal DG can be seen as a modular goal because, as enforced by the structurally- 
scoped inference figure, only program statements of the form UP can contribute to its proof. In 
other words, we cannot use the entire program to prove G; rather, we must use a designated part of 
the program: formulas of the form UP. This is the module we use to prove G. Multi-modal logic 
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Figure 1: Six inference figures and the axiom for structurally-scoped S4. After [ pitting, 1983 , 



Wallen, 1990| |. Sequents are multisets of modal formulas; this formulation (though not others that 



we will consider later) requires a structural rule of contraction. See Section [ 



allows us to name modules in a general way [ Paldoni et al., 1993] , Paldoni et al., 1998a| ]. 



In fragments of logic without the operator O, including S4 translations of intuitionistic formu- 
las in particular, modularity brings locality. A goal □(/' D G) introduces a local assumption P. 
The assumption is local in the sense that it can only contribute to the proof of G, and cannot con- 
tribute to any other goal. We can motivate this locality in logical terms by examining the sequent 
inferences for (— > □) and (^d) in combination: 



_r—*^p^G_ 

r— ^ □(/'DG),A^^°^ 

Observe that this logical fragment is constructed so that the succedent context A* above □) is 
empty, and so we introduce P into a subproof where G is the only goal. 

Logical modularity and locality underlie the use of the proof theory of modal logic as 
a declarative framework for structuring specifications, and thereby facilitating their design 
and reuse [ [Miller, 19^ , [Giordano and Martelli, 1994] , [Baldoni et al., 1993| , [Baldoni et al., 1996| , 



Baldoni et al., 199S^ .p| Concretely, a goal that specifies the part of the program to be used in 



its proof will give rise to the same operational behavior when other parts of the program change. 
In this paper, I further emphasize that logical modularity and locality provide declarative tools for 
constraining the complexity of proof search itself. My motivating example is the proof in Figure ^ 



The model theory of modal logic can also be used to structure specifications [Sakakibara, 1987|. 
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g,...— »-fi,A A,...— -A D,...—D,C C,...—>-C 

B,BdA,... D,DZ)C,... 
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B,n(BDA),... — ^ ^c,...— D,n(DDC),... — 



AVB,n(BDA),... — ^A ^ ^ CVD,n(DDC),... — 



□ (AvB),n(BDA),... — ^A n{cyD),n{DDC),...^C 



□ (AVB),n(BDA),... — ^ DA □(CVD),n(DDC),... — ^ DC °^ 

a{Av B),a{cy D),a{B D A),a{D D C) — ^ (□A)A(nc) 



Figure 2: This structurally- scoped S4 proof shows how the locality of modular assumptions lim- 
its the possible interactions in proof. Ellipses mark points in sequents where I have suppressed 
additional formula occurrences that no longer contribute to the inference. 

which establishes that the conclusion 

(□A) A (DC) 

follows from the assumptions 

□ (AV5),n(CVD),n(5DA),n(DDC) 



The assumptions in this proof — the program statements — specify two ambiguities. Either A or 
B holds, and either C or D holds. As part of the specification, we use modal operators to say how to 
reason with these ambiguities: we have □(A V5) and □(CVD). This means that the ambiguities 
themselves are generic; we can use them to perform case analysis at any time. However, when we 
reason about any particular case, we make local assumptions — we will assume A rather than OA 
for example. 

This specification limits the way case analyses in the proof interact. Consider our goal here: 
(□A) A (nC). We must prove each conjunct separately, using generic information; that is, each 
conjunct is proved in its own new nested scope. Thus, in the proof of Figure 0, we perform case 
analysis from □(A V5) within the nested scope for DA, and perform case analysis from □(CVD) 
within the nested scope for DC. Observe that the logic dictates the choice for us. For instance, 
performing case analysis from □(A V5) within the nested scope for DC is useless — the assumption 
of A and B cannot help here. Importantly, performing case analysis from □(A V5) at the initial, 
outermost scope is also useless. Whatever assumptions we make will have to be discarded when 
we try to prove the conjuncts, and consider only generic information. This specification therefore 
cordons off the two ambiguities from one another in this proof problem. We have to consider the 
ambiguities separately. 

Effectively, it is part of the meaning of the specification of Figure || that proofs must be short. 
A proof in this specification must be a combined record of independent steps, not an interacting 
record with combined resolutions of ambiguities. To my knowledge, the possibility for this kind of 
declarative search control in disjunctive modal specifications has not received comment previously. 
But it seems to me to be one of the most exciting and unique uses for modal logic in representation 
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Figure 3: Six inference figures and the axiom for explicitly-scoped S4. See [ pitting, 1983 , 
Wallen, \990[ [Stone, 1999| ]. The □) inference is subject to an eigenvariable condition that 
a is new. In the (□ inference, /jv refers to any sequence of terms that extends /j by a suffix v. 



and problem-solving. 

1.1.2 Explicit scope and goal-directed search 

The second formulation of modal reasoning is illustrated by the sequent figure below: 

r— ^ G^«,A 



□ G^,A 



Such inferences institute an explicitly-scoped sequent calculus; each formula is tagged with a la- 
bel indicating the modal context which it describes. These labels are sequences of terms, each of 
which corresponds to an inference that changes scope. Superscripts are my notation for labels; 
above, /j labels the scope of the succedent formula DG. To reason about a generic modal formula, 
we again introduce a new, nested scope in which just generic information is available; we now 
label the formula with its new scope. Thus above G is labeled fja; and a is subject to an eigenvari- 
able condition — it cannot occur elsewhere in the sequent — and so represents a generic possibility. 
At axioms, the scopes of premises and conclusions must match; therefore modal inferences can 
dispense with destructive transformation of sequents. 

Figure ^ illustrates the other explicitly- scoped S4 sequent inferences that I will draw on 
in this motivating discussion. Explicitly- scoped proof systems have a long history as prefixed 
tableaus; see [ pitting, 1983[ , [Wallen, 1990| ] and references therein. Each label sequence can 



be viewed as representing a possible world in possible-worlds semantics, so for example the 
□) inference figure represents a transition from the world named by /j to a new world /ja 
that represents a generic possibility accessible from fi. The more general study of such sys- 
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terns has put them in a new proof-theoretic perspective recently. They are closely related to 
semantics-based translation systems QOhlbach, 1991| , [Nonnengart, 1993D and labelled deductive 
systems [ JGabbay, 1996| , [Basin et al., 1998| ]. I use the term explicitly-scoped from [ [Stone, 19990 
because I continue to emphasize the extent to which the two formulations of reasoning represent 
the same inferences, just in different ways. 

The ability to define explicit scope is intimately connected with the ability to carry out goal- 
directed proof. I adopt the perspective due to [ [Miller et al., 1991[ ] that goal-directed proof simply 
amounts to a specific strategy for constructing sequent calculus deductions. The strategy is first 
to apply inferences that decompose goals to atoms and then to apply inferences that use a specific 
program statement to match a specific goal. Proofs that respect this strategy are called uniform. 
On this strategy, logical connectives amount to explicit instructions for search, and this is in fact 
what lets us view a logical formula concretely as a program [ [Miller et al., 1991[ ]. 

Unlike other, more procedural characterizations of algorithmic proof, such as [ [Gabbay, 1992[ |, 
this view largely abstracts away from the exact state of computations during search. The key 
questions are purely proof-theoretic. In particular, goal-directed proof is possible in a logic if and 
only if any theorem has a uniform proof. In systems of structural scope, this is not possible, and we 
must instead restrict our to inference in specific logical fragments, as described for the intuitionistic 
case in, e.g., [ [Miller et al.,TOT[ , [Harland, 199^ [Harland et al., 2000| ].p| 

By contrast, systems of explicit scope can be lifted by a suitable analogue to the Herbrand- 
Skolem-Godel theorem for classical logic so that any pair of unrelated inferences can be in- 
terchanged QKleene, 195Ti [Wallen, 1990| , [Lincoln and Shankar, 199^ , [Stone, 19990 . Thus, unlike 
systems of structural scope, systems of explicit scope permit general goal-directed reasoning. 
If we adopt Miller's characterization of uniform proof for sequent calculi with multiple con- 
clusions [ [Miller, 1994[ , [Miller, 19960 , then any modal theorem has a uniform proof in a lifted, 
explicitly-scoped inference system. Put another way, explicitly-scoped inference assimilates modal 
proof to classical proof, and we know that uniformity is not really a restriction on classical 
proof [ parland, 1997[ , [Nadathur, 199^ ]. This is why my investigation emphasizes questions of 
information-flow, such as modularity and locality, rather than questions of goal-directed proof per 
se. 

I will refer to the proof of Figure |^ to illustrate some of the properties of information-flow in 
goal-directed search. The proof establishes the conclusion 



from assumptions 



AV5,CVD,A dF,CdF,(5AD) dF 



First we must get clear on the reasoning Figure ^ represents. The assumptions in this proof 
again specify two ambiguities. Ay B and Cy D. In modal terms, these are local ambiguities 



A further case of structural control of inference that has attracted particular interest is linear logic, 
where linear disjunction must be u nderstood to sp e cify synchronization between concurrent processes rather than 
proof by case analysi s; see, e.g., [ 4ndreoli, 1992 , [Hodas and Miller, 1994 , |Pym and Harland, 1994 Miller, 1996 



Kobayashi et al., 1999| ]. The investigation of fragments of linear logic remains essential, as linear logic has no ana- 
logue of an explicitly-scoped proof system, and so — unlike int uitionistic log ic and modal logic — must be understood 



as a refinement of classical logic rather than an extension to it [ 3irard, 1993 1 
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Figure 4: A goal-directed proof in which multiple cases are considered. Each case is displayed in 
a separate block. 

that introduce local assumptions; but actually, Figure ^ uses only classical connectives, and this 
classical reasoning suffices for my discussion here. In Figure |[ the two ambiguities interact to 
require inference for three separate cases: one case where A is true, one case where C is true, and 
a final case where B and D are true together. (These cases are laid out separately in Figure ^.) 
In goal-directed inference, we discover these cases by backward chaining from the main goal F 
through a series of implications: A D F, C D F, and (BAD) D F. 

Now we can describe the structure of the proof of Figure ^ more precisely. The inference is 
segmented out into three chunks, one for each case. The chunks are indexed to indicate how they 
should be assembled into a single proof-tree; the chunk indexed [s] should appear as a subtree 
where the index [b] is used in chunk [2], and that chunk should in turn appear as a subtree where 
the index [2] is used in chunk \T\. We could imagine writing out that tree in full — on an ample 
blackboard! However, the chunks are actually natural units of the proof of Figure]^; they are what 
Loveland calls blocks [ |Loveland, 1991| , [Nadathur and Loveland, 1995| ]. In general, a block of a 
derivation is a maximal tree of contiguous inferences in which the right subtree of any (V — *>) 
inference in the block is omitted. (Check this in Figure ^.) Each block presents reasoning that 
describes a single case from the specification. 

Within blocks, we can trace the progress of goal-directed reasoning, as follows. At each step, 
our attention is directed to a distinguished goal formula — the current goal — and at most one distin- 
guished program formula — the selected statement. For illustration, these distinguished formulas 
are underlined in each sequent in Figure ^ Logical operations apply only to distinguished for- 
mulas; we first decompose the goal down to atomic formulas, then select a program formula and 
reason from it to establish the current goal. 

There are two things to notice about this derivation. First, we use a restart discipline when 
handling disjunctive case analysis across blocks [ [Loveland, 199 1| , [Nadathur and Loveland, 1995] ]. 
In each new block, the current goal is reset to the original goal F to restart proof search. It is easy 
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to see that it does not suffice, in general, to keep the current goal across blocks; in Figure 0, for 
example, keeping the current goal would mean continuing to try to prove A after we turn from the 
case of A to the case of B. The more general restart rule is however complete; in fact, the restart 
rule is a powerful way to extend a goal-directed proof system to logics where a single proof must 
sometimes analyze the same goal formula in qualitatively different ways QGabbay and Reyle, 1984 , 
Gabbay, 1985| , IGabbay, 1992ll . 



Second, note when and how newly-assumed disjuncts are used in new blocks. For exam- 
ple, B is assumed in block [2] but it is not used until block [3]. By contrast, D is assumed in 
block [3] and used immediately there. Following [ |Loveland, 19910 , I will refer to any use of 
a disjunctive premise in the first block of case analysis where it is assumed as a cancellation; 
I will also say that the inference that introduces the disjunct, and the new block it creates, are 
canceled. The proof of Figure ^ cannot be recast in terms of canceled inferences using the se- 
quent rules of Figure |[ Whichever case of A V 5 or C V D is treated first cannot be canceled; the 
second disjunct of the one must wait to be used until the second disjunct of the other is intro- 
duced. This is a gap between Loveland's original Near-Horn Prolog interpreter [|Loveland, 1991[], 



which requires cancellations, and the generalized reformulation in terms of sequent calculi given 
in [ |Nadathur and Loveland, 19^ , [Nadathur, 19981 and suggested in Figure ^. Loveland suggests 



that cancellation is just an optimization, but we shall see that modal logic establishes an important 
proof-theoretic link between cancellation and modularity. 

1.1.3 On modular goal-directed proof search 

As befits alternative proof methods for the same logic, structurally-scoped systems and explicitly- 
scoped systems are very close. In fact, in the case of intuitionistic logic, they define not just the 
same theorems but the same proofs [ [Stone, 1999| ]. This correspondence suggests that we use in- 
sights about information- flow in structurally- scoped proofs — including the modularity and locality 
exhibited by Figure]^ — to restrict goal-directed proof-search in explicitly- scoped systems. 

In fact, we know from [ [Stone, 199% that we can sometimes enforce a straightforward require- 
ment of locality in explicitly- scoped inferences, as follows. Assume that we have an explicitly- 
scoped proof system for a logic with modularity and locality, with an eigenvariable condition on 

□), and we work in a fragment of logic without negation (this again includes the S4 translation 
of intuitionistic formulas). Then when we consider a sequent of this form in proof-search: 



we apply inferences to a formula P in F only when P is labeled with a prefix of a label of a formula 
in A. That is, we can consider inferences on G F only when there is some G"^ G A. The prefix 
relationship is required for P to eventually contribute to the proof of any A formula. For example 
here: 

We can consider A, B^ or C^, but not D^. 

This invariant is weaker than one might want or expect for certain kinds of goal-directed search. 
Specifically, we have seen that when we use goal-directed search as a model for logic program- 
ming, we understand the interpreter to be working on at most one goal and one program statement 
at a time. In this setting, we would like to require that the program statement must be able to 
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contribute to the current goal. However, we must understand the result of [ [Stone, 19990 to require 



only that the current program statement must contribute to some goal, not necessarily the current 
one. In addition, we must take into account other, inactive goals, such as the goals that we may 
potentially restart later in proof search. In the preceding example, even if were the current goal, 
we might have to consider reasoning with because of the possibility of a restart with F^. 

For most inferences, we can rule out their contribution to inactive goals, on independent 
grounds. Most inferences from assumptions in goal-directed proofs must contribute to the cur- 
rent goal or not at all. But there is one difficult case, which happens also the most meaningful one. 
This is the case of disjunction itself, where only one disjunct contributes to the current goal. The 
other disjunct may contribute to some other goal; we will set up a new proof problem by assuming 
this disjunct and making some inactive goal active. Modularity and locality suggest that we should 
be able now to select a goal that our newly-assumed disjunct could contribute to. In other words, 
if the new disjunct is the next goal should take the form G^^ with /j a prefix of /jv. Call this a 
modular restart. The alternative is that there is no relationship of scope between the new disjunct 
and the next goal. 

Modular restarts would be quite powerful. For example, they would allow us to capture the 
declarative search control illustrated in Figure |^. In an explicitly-scoped goal-directed proof cor- 
responding to Figure ^ the case analysis for □(A V5) will look like this: 

A«,... — ^A«,... — ^A«,... 



□ 



With modular restarts, we know we must continue to take A" as the current goal in the right top 
{B'^) subproof. In effect, we know to build a short proof in which ambiguities are considered 
independently. We can cut down the space for proof search accordingly — for example, there will 
be no question of introducing the other ambiguity from □ (C V D) in the new modular block. On 
the other hand, without modular restarts, we are free to reconsider the initial goal (DA) A (DC) 
at this stage; in subsequent search we will reconsider both □(A V5) and □(C VD). Thus, even 
though the logic guarantees that ambiguities do not interact in a proof, we still wind up considering 
interacting ambiguities in proof search. 

The main result of this paper is to provide an explicitly-scoped goal-directed proof system in 
which modular restarts are complete. The proof system has modular restarts because, in the new 
proof system, any proof can be presented in such a way that all disjunctions are canceled. Each 
new disjunct therefore contributes to the proof of the restart goal in the current block, and so 
we know to choose a restart goal G^^ that the new disjunct could contribute to. 

It turns out that modular restarts are not automatic; you need to design the policy for disjunctive 
inference to respect it. Figure ^ already makes the problem clear. How can we enforce cancella- 
tions here? The sequent rules seem not to allow it. The new idea is simple actually — to allow a 
new inference figure for disjunction that considers disjuncts out of their textual order: 

r,zy— r,c^— 

r,CVD^— ^A 



This is the direct analogue of the Near-Horn Prolog inference scheme, which can proceed by 
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Figure 5: A reanalysis of the proof of Figure ^ to enforce cancellations. We rewrite block _3^, in 
which B is canceled, to use the new disjunctive inference figure; block 3' 



thus becomes the second 



block after \T\. At the same time, we introduce a simplified block 2^ which uses the assumption 
C, without disjunction at all. 



matching any of the heads of a disjunctive clause at any time [ |Loveland, 1991p . The new sequent 
rule will allow us to reanalyze the constitution of higher blocks so that, wherever we use the new 
disjunct in the original proof, we can always reanalyze it as part of the current block. Figure ^ 
demonstrates this reanalysis for Figure ^. In fact, demonstrating the generality of such reanalysis 
will prove to be quite involved. Explicitly- scoped inferences with an eigenvariable condition give 
blocks in modal proofs an inherently hierarchical structure, because of the different modal scopes 
that are introduced and the local assumptions that are made. Loveland's construction for cancel- 
lations, by contrast, assumes that the structure of blocks is flat. Instead, we must use the natural 
tools of the sequent calculus to develop suitable constructions for reanalyzed inferences. 

1.2 The results and their context 

The problem sketched in Section [O] is a pure problem of modal proof. Accordingly, all the proof 
systems I consider will describe sound and complete inference under the usual Kripke semantics 
for modal logic [ ]Kripke, 1963| , [Fitting, 1983| ]. I will not consider interactions of disjunction with 
negation-by-failure and other operational features of of logic programming proof-search systems. 
For such issues in disjunctive logic programming, see for example [ ]Lobo et al., 1992[ ]. Nor will I 
attempt to describe a minimal model or fixed-point construction in which exactly the consequences 
of a modal program hold, as in [ prgun and Wadge, 1992] ]. 

Moreover, my interest is in specific fragments of specific modal logics in particular. Modularity 
and locality allow consideration of the logics T, K and K4 in addition to S4, but are not compatible 
with such logics as S5, temporal logics with symmetric past and future operators [ pabbay, 1987[ ], 
the logic of context of [ [McCarthy and Buvac, 1994] ] or the modal logic of named addresses of 
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QKobayashi et al., 1999fl . For example, in S5, if OA is true at any world, then OA is true at all 
worlds; thus the logic prohibits making such an assumption locally. To see the problem, observe, 
for example, that □(□A D 5) V OA is a theorem of S5. Modal proofs in such cases require global 
restarts QGabbay and Olivetti, 1998| ]. Locality further rules out logical fragments with possibility 
or negation. Such fragments can be used to pose goals about that access otherwise local assump- 
tions, as in the theorem □(A D 5) V OA of all normal modal logics. (Goal-directed proof of this 
theorem also involves a global restart.) Moreover, such fragments make it more difficult to enforce 
modularity as well, since they do not permit an eigenvariable condition at (— □) inferences in 
goal-directed proofs. My investigation therefore sticks closely to the treatments of logical mod- 
ularity and locality originally explored in [ [Miller, 1989| , piordano and Martelli, 1994] ]. Indeed, I 
continue to restrict implications and universal quantifiers in goals to strict statements of the form 
□ (i'DG)and nVjcG. 

The basic strategy that I adopt is to start with a relatively straightforward proof system, and 
gradually to narrow the formulation of its inference rules — ^preserving soundness and complete- 
ness with respect to the underlying semantics — until we have a proof system, SCLP, with the 
desired characteristics, namely goal-directed search and modular restarts. I have been particularly 
influenced by Lincoln and Shankar's presentation of proof-theoretic results in terms of simple 
transformations among successive proof systems [ [Lincoln and Shankar, 1994j ]; and by Andreoli's 
construction of focusing sequent calculi that embody the discipline of goal-directed proof directly 
in the form of inference figures [ jAndreoli, 1992[ ]. 

However, the correct design of the final proof system requires a variety of proof-theoretic ideas 
about logic programming to be extended, strengthened, and combined with proof-theoretic results 
about modal logic in a novel way. To describe logic programming, we start with the idea of 
uniform proof search described in [ [Miller et al., 1991] ] and extended to multiple-conclusion calculi 
in [ [Miller, 1994P . To derive a uniform proof system in the presence of indefinite information in 
assumptions, however, we can no longer use the familiar quantifier rules used in previous logic 
programming research, which simply introduce fresh parameters; we must apply a generalization 
of Herbrand's Theorem [ [Lincoln and Shankar, 1994[ ] and work with quantifier rules that introduce 
structured terms. The calculus of Herbrand terms, SCL, lifts the explicitly-scoped proof systems 
considered in Section [1.1. 2[ and [ pitting, 1983| , [Wallen, 199O0 . The key property of SCL is that 
inferences can be freely interchanged. This allows arbitrary proofs to be transformed easily into 
uniform proofs. 

The modular behavior of this uniform system depends on the further proof-theoretic analyses 
of path-based sequent calculi adapted, in part, from [ [Stone, 1999| ]. These analyses establish that 
path representations enforce modularity and locality in the uses of formulas in proofs, even with 
otherwise classical reasoning. Hence, although path-based calculi obscure the natural modularity 
of modal inference, they do not eliminate it. I finish with a streamlined uniform proof system that 
takes advantage of these results; as a consequence, proof search in this calculus can dynamically 
exploit the local use of modular assumptions. 

The justification of this new proof system makes much of a strategy originally due to 
[ [Kleene, 1951[ ], in which the inferences in a proof are reordered so as to satisfy a global invari- 
ant. The strategy achieves termination despite generous copying and deepening of inferences by a 
judicious choice of transformations within a double induction. In our cases, these transformations 
are guided by the constraints of uniform proof, and by the cancellations of disjunctive assumptions 
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that we know we must maintain in proofs, to achieve modularity. This provides an analogue of 
Loveland's transformations on restart proofs QLoveland, 1991D in the sequent calculus setting. 

Of course, modal logic is not just a modular logic. Modal logic provides a general, declar- 
ative formalism for specifying change over time, the knowledge of agents, and other special- 
purpose domains QPrior, 19W7[ [Hintikka, 1971| , [Schild, 1991[ ]. Goal-directed systems for modal 



proof are often motivated by such specifications QFarinas del Cerro, 1986| , pebart et al., 1992 , 



[Baldoni et al., 1993] , paldoni et al., 1995| ]. In generalizing goal-directed modal proof to indefi- 



nite specifications, SCLP can play an important role in applying modal formalisms to planning, 
information-gathering and communication [ [Stone, 1998a| , [Stone, 2UlK][ ]. Even when content, not 
modularity, is primary, the modular treatment of disjunction limits the size of proofs and the kinds 
of interactions that must be considered in proof search. Such constraints are crucial to the use 
of logical techniques in applications that require automatic assessment of incomplete information, 
such as planning and natural language generation. The interest of these more general applications 
helps explain why I pursue this investigation in the full first-order language. 

1.3 Outline 

The structure of the rest of this paper is as follows. I begin by presenting first-order multi-modal 
logic in Section 0. I consider syntax (Section P?T| ), semantics (Section and finally proof 



(Section I describe the explicitly-scoped Herbrand proof system for modal logic that is my 
starting point. Section shows that this calculus offers a suitable framework for goal-directed 
proof because uniform proof search in this calculus is complete. 

Section ^ describes and justifies a modular goal-directed proof system, as advertised in Sec- 
tion [LI]. I introduce the calculus itself in Section PTT] , along with key definitions and examples. 



Then in Sections |3^4-|J!4| I outline how this sequent calculus is derived in stages from the calculus 
of Section 0. Full details are provided in an appendix. 

Finally, Section |^ offers a broader assessment of these results. I consider some further opti- 
mizations that the new sequent calculus invites in Section ^[1|, and briefly conclude in Section 
with some applications of first-order multi-modal inference that the new sequent calculus suggests. 

2 First-order multi-modal deduction 

I begin by supporting the informal presentation of first-order multi-modal logic from Section [I] 
more explicitly. I will adopt a number of techniques that are individually quite familiar. I allow an 
arbitrary number of modal operators and a flexible regime for relating different modal operators 
to one another, following many applied investigations [ Pebart et al., \992\ Paldoni et al., 1993 , 



Baldoni et al., 1996| , [Baldoni et al., 1998b| ]. I use prefix terms for worlds and sequent calcu- 



lus inference, following the comprehensive treatment of the first-order modal logic using pre- 
fix terms and analytic tableaux (or, seen upside-down, in the cut-free sequent calculus) of 
[[bitting and Mendelsohn, 199B[]. I factor out reasoning about accessibility into side conditions 



on inference rules, similar to the proof-theoretic view of [ Pasin et al., 1998[ ], in which reasoning 
about accessibility and boolean reasoning are clearly distinguished. And I use Herbrand terms 
to reason correctly about parameterized instances of formulas, avoiding the usual eigenvariable 



condition on quantifier (and modal) rules, as in [ [Lincoln and Shankar, 1994[ [. 



Though the techniques are routine, the combination is still somewhat unusual. Re- 
search in modal logic — whether the investigation is more mathematical QGore, 1992 , 
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Massacci, 1998b| , [Massacci, 1998a| , |Gore, 1999| ] or primarily concerns algorithms for proof 



search QOtten and Kreitz, 1996| , [Beckert and Gore, 1997| , [Schmidt, 1998| | — is dominated by the 



study of the propositional logic of a single modal operator (or accessibility relation). More- 
over, researchers who have investigated modal logic in a first-order setting have tended 
to jump directly into a discussion of particular theorem-proving strategies, particularly 
resolution [ [fackson and Reichgeh, 1987| , [Wallen, 19901 Patach, 19911 prisch and Scherl, 1991| , 



Auffray and Enj albert, 19^ fNonnengart, 1993] , phlbach, 1993| ]. 



2.1 Syntax 

Our language depends on a signature including a suitable set of atomic constants C (and suitable 
predicate symbols and modalities). We then consider program statements of the syntactic category 
D(C) and goals of the category G(C) defined recursively as in ([1]); we refer to the union of these 
two languages as L{C). (P makes explicit the conditions observed in Section [L2| ; there is no 
possibility or negation, and universal and hypothetical goals must be modal. 

(1) G:: = A\ [m]G | G A G | G V G | [m]{\/xG) \ ^G \ [m](DdG) 
D : =A I [m]D I DAD I DVD I VjcD I 3jcD | GdD 

In (jl]), A schematizes an atomic formula; atomic formulas take the form pi{a\, . . .,ak) where pi is 
a predicate symbol of arity k and each at is either a variable or an atomic constant in the set C. 
We assume some initial non-empty set of constants CONST. But it will be convenient to consider 
languages in which a countably infinite number of parameters are included in the language to 
supplement the symbols in CONST. 

In (HJ), [m] schematizes a modal operator of necessity; intuitively, such modal operators allow 
a specification to manipulate constrained sources of information. That is, a program statement 
[m]D explicitly indicates that D holds in the constrained source of information associated with 
the operator [m]. Conversely, a goal [m]G can be satisfied only when G is established by using 
information from the constrained source associated with [m] . 

We will work in a multi-modal logic, in which any finite number m of distinct necessity op- 
erators or modalities may be admitted. (Necessity operators will also be written as □ or □,.) In 
addition to ordinary program statements, a specification may contain any of the following axiom 
schemes describing the modalities to be used in program statements and goals: 

(2) Uip D p veridicality (VER) 

Uip D positive introspection (Pl) 

Uip D Ojp inclusion (iNC) 

These axioms describe the nature of the information that an operator provides, and spell out re- 
lationships among the different sources of information in a specification, (ver) is needed for 
information that correctly reflects the world; (Pl), for information that provides a complete picture 
of how things might be; and (iNC), for a source of information, 7, that elaborates on information 
from another source, /. Because we use this explicit axiomatization, we can take the names of the 
modal operators as arbitrary. 

We appeal to the usual notions oi free and bound occurrences of variables in formulas; we 
likewise invoke the depth of a formula — the largest number of nested logical connectives in it. 
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2.2 Semantics 

As is standard, we describe the models for the modal language in two steps. The first step is to set 
up frames that describe the structure of any model; a full model can then be obtained by combining 
a frame with a way of assigning interpretations to formulas in a frame. 

Definition 1 (Frame) A frame consists of a tuple (w, 5?, , ©) where: w is a non-empty set of pos- 
sible worlds; ^ names a family ofm binary accessibility relations on w, a relation jfor each 
modality i; and T) is a domain function mapping members ofw to non-empty sets. 

Within the frame ^, the function 'D induces a set ©(j), called the domain of the frame, as 
U{cd{w) I w G w}. In order to simplify the treatment of constant symbols, it is also convenient to 
define a set of objects that all the domains of the different possible worlds have in common, the 
common domain of the frame f : C{f)= □{©(w) | w G w}. We effectively insist that C{j) be 
non-empty as well, since CONST is non-empty and each symbol in CONST must be interpreted 
by an element of c{f ). 

The intermediate level of frames is useful in characterizing the meanings of modal operators 
and modal quantification. In particular, simply by putting constraints on i or on © at the level 
of frames, we can obtain representative classes of models in which certain general patterns of 
inference are validated. The constraints we will avail ourselves of are introduced in Definition 0. 

Definition 2 Let (w, , ©) be a frame. We say the frame is: 

• reflexive at i ifwHi, iw' for every w G w; 

• transitive at i if for any w, w" G w, wHi, iw" whenever there is a w' G w such that w1{, and 
w'll iw"; 

• narrowing/rom i to j ifwii, jw' implies WE^ jw' for all w,w' G w; 

• increasing domain if for all w, w' G w, © (w) C © (w') whenever there is some accessibility 
relationship 

Our scheme for using the constraints of Definition |] depends on establishing a regime for the m 
modalities in the language, describing the inferences that should relate them. The regime is defined 
as follows. 

Definition 3 (Regime) A regime is a tuple {Jl,9\C,Cl), where: Si is a function mapping each 
modality into one of the symbols K, K4, T and S4; 9\C is a (strict) partial order on the modali- 
ties; and CI is the symbol increasing. 

The reader will recognize the symbols in the image of Jl as the classic names for modal logics 
of a single modality. 54 is for modalities that are subject to (Pl) and (ver). T is for modalities 
that are subject just to (ver). K4 is for modalities that are subject just to (Pl). K is modalities 
subject to neither axiom. The interactions specified by (iNC) are determined by the partial order on 
modalities: j < i when D □ ^p. This meaning for these symbols can be enforced by considering 
only frames that respect the given regime. 
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Definition 4 (Respect) Let ;F = {w,!ll ,'D) be a frame, and let S = , fV; , Q,) be a regime. We 
say J respects S whenever the following conditions are met for all modalities i and j: 

• If Si (i) is T or S4 then ^ ; is reflexive. 

• If SI {i) is K4 or S4 then 5^ is transitive. 

• Ifj'^i according to 9^ then J is narrowing from i to j. 

• If CI is increasing, then is increasing domain. 

From now on, we assume that some regime 5 = , fA^ , Q^) is fixed, and restrict our attention to 
frames that respect S . Informally, now, a model consists of a frame together with an interpretation. 

Definition 5 (Interpretation) j is an interpretation in a frame (w, ^ , if J satisfies these two 
conditions: 

1. J7 assigns to each n-place relation symbol pi and each possible world w e w some n-ary 
relation on the domain of the frame f (5 )• 

2. J assigns to each constant symbol c some element of the common domain of the frame C{!F). 
Thus we can define a model over S thus: 

Definition 6 (Model) A first-order /:-modal model over a regime S is a tuple (w, !^ , © , J ) where 
(w, %^i'D) is a frame that respects 5 and J is an interpretation in (w, , 2)). 

To define truth in a model, we need the usual notion of assignments and variants: 

Definition? (Assignment) Let M — (w, ,2),J?) be a model (that respects the regime 5). An 
assignment in M is a mapping g that assigns to each variable x some member g{x) of the domain 
of the frame of the model 2> ( (w, !^ , ® ) ). 

In proofs, we interpret formulas not just in the ordinary language L(C) with a given set of modali- 
ties, relations, constants and variables, but in an expanded language L(C U P) which also includes 
a set P of first-order parameters; we will want to use the same models for this interpretation. Over 
L(CU/'), we suppose that an assignment in M also assigns some member g{p) of the domain of 
the frame of M to each parameter p in P. 

Definition 8 (Variants) Let g and g' be two assignments in a model M = (w, , £>,J7); g' is 
an variant of g at a world w & w if g and g' agree on all variables except possibly for x and 

g'{x) e 2)(w). 

Definition 9 (Truth in a model) Let M = (w, ^ ,CD ,j) be a model. Then the formula A is true at 
world w of model M on assignment g — written , w ii— ^ A— just in case the clause below selected 
by syntactic structure of A is satisfied: 
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• A is pi(ti , . . . , tn): Then M , w \\-g A just in case (ei , . . . e„) G J7 w), where for each ti, e,- is 
J7 {ti) ifti is a constant and g{ti) otherwise. 

• A is Bi A B2: Then 9V[ , w \\—g A just in case both M , w \\-g Bi and M , w 11— g B2- 

• Ais BiM B2: Then Uv[ , w 11— g A just in case either M , w \\-g Bi or M ,w 11— g Bi. 

• A is ^iB: Then M , w \\-g A just in case for every w' G w, ifWK^ iw' then M , w' 11— g B. 

• A is WxB: Then M , w 11— g A just in case for every x-variant g' of g atw, M ,w \\-gi B. 

• A is 3xB: Then M , w ih-g A just in case there is some x-variant g' of g at w with M , w \\-gi B. 

By a sentence we mean a formula of L(CONST) in which no variables occur free. For any 
sentence A, model 5Vf and world w of M , a simple induction on depth guarantees that M , w 11— g A 
for some assignment g'mM exactly when fyvf , w 11— g A for all assignments gin ^ .In this case, we 
can write simply , w ih- A and say that A is true in M at w. 

Definition 10 (Valid) Let Abe a sentence and M = (w, ^ ,(D,j) be a model. A is valid in !M if 
for every world w G w, M ,w\\- A. Ais valid {on the regime {R,^,Ci)) if A is valid in any model 
5Vf that respects the regime. 

2.3 Proof theory 

We now present our basic deductive system — a cut-free path-based sequent calculus for multi- 
modal deduction which uses Herbrand terms to reason correctly about parameterized instances 
of formulas. Since this calculus represents our basic lifted sequent calculus for modal logic, we 
refer to it as SCL here. Our starting point is Theorem |l] that SCL provides a sound and complete 
characterization of valid formulas. 

SCL has the advantage that inferences can be freely interchanged, allowing arbitrary proofs to 
be transformed easily into goal-directed proofs; we show in Theorem ^ presented in Section P^ , 
how to obtain goal-directed proofs in this calculus. The very same flexibility of inference, however, 
means that this calculus neither respects nor represents the potential of modal inference to give 
proofs an explicitly modular structure. 

The basic constituent in SCL is a tracked, prefixed formula. The formulas extend the basic 
languages D{C) and G(C) of definitions and goals defined in (|T]) by allowing additional terms — 
representing arbitrary witnesses of first order quantifiers, and arbitrary transitions of modal ac- 
cessibility among possible worlds — to be introduced into formulas for the purposes of proof. We 
begin by assuming two countable sets of symbols: a set H oi first-order Herbrand functions and 
T of modal Herbrand functions . We can now define sets Ph of first-order Herbrand terms, Ky of 
modal Herbrand terms, and n(Kx) of Herbrand prefixes by mutual recursion: 

Definition 11 (Herbrand terms and prefixes) Assume that to is a Herbrand prefix and let 
ti, . . . ,t„ be a sequence {possibly empty), where each ti is either an element ofC, a first-order Her- 
brand term, or a Herbrand prefix. Then ifh is a first-order Herbrand function then h{to, ti,.. .,t„) 
is a first-order Herbrand term. Ifr[ is a modal Herbrand function then ri(?o,?i, is a modal 

Herbrand term. A Herbrand prefix is any finite sequence of modal Herbrand terms. 
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The rationale behind the use of a Herbrand term h{X) at an existential inference R goes like this. 
At existential inferences, we need to reason about a generic individual. We need to have a suitable 
representation for a generic individual for R. Regardless of the order in which inferences are 
applied in a sequent deduction, there will be some parameters that must occur in the sequent where 
R applies. For example, some parameters must appear here as a result of the instantiations that 
must take place in deriving the formula to which R applies. We must be sure that the individual 
we introduce for R is different from all these parameters. The terms X which are supplied as 
an argument to the Herbrand term h{X) identify these parameters indirectly. The structure h{X) 
therefore serves as a placeholder for a new parameter that could be chosen to be different from 
each of the terms in X. The structure h{X) thus packs all the information required to allow the 
inferences in the proof to be reordered and an appropriate parameter chosen so that the inference 
at R is truly generic. 

In modal deduction, of course, we need generic individuals at modal inferences as well as 
existential ones. Modal Herbrand inference therefore requires that we introduce Herbrand terms 
to describe transitions among possible worlds and Herbrand prefixes to name possible worlds, in 
addition to introducing first-order Herbrand terms to represent first-order parameters. In this case, 
the arguments X to Herbrand terms must mix first-order Herbrand terms and Herbrand prefixes, 
since logical formulas can encode dependencies among first-order and modal parameters. 

A prefixed formula is now an expression of the form with A a formula and n a Herbrand 
prefix — we use D{C\J Ph)^^^'^^ and G(CUPh)^'^^^) to refer to prefixed definitions and prefixed 
goals. For Herbrand calculi, formulas must also be tracked to indicate the sequence of instantia- 
tions that has taken place in the derivation of the formula. 

Definition 12 (Tracked expressions) IfE denotes the expressions of some class, then the tracked 
expressions of that class are expressions of the form ej where e is an expression of E and I is a 
finite sequence (possibly empty) of elements ofC U P^y U n(KY). 

We say that a tracked expression ej tracks a term t just in case t occurs as a subterm of some term 
in/. 

In order to reason correctly about multiple modal operators, we need to keep track of the kinds 
of accessibility that any modal transition represents. To endow the system with correct first-order 
reasoning on increasing domains, we also need to keep track of the worlds where first-order terms 
are introduced. We use the following notation to record these judgments: /a/v : / indicates that 
world V is accessible from world /a by the accessibility relation for modality /; and t : // indicates 
that the entity associated with term t exists at world /u. 

It is convenient to keep track of this information by anticipating the restricted reasoning re- 
quired for our fragment L(C) and exploiting the structure of Herbrand terms, as follows. It is 
clear that there are countably many first-order Herbrand terms, Herbrand prefixes, and formulas in 
L(CUPh)- We can therefore describe a correspondence as follows. If A is a formula of the form 
\/xB or 3xB and m is a natural number, we define a corresponding first-order Herbrand function h'^ 
so that each first-order Herbrand function is hA for some A and no first-order Herbrand function is 
h'^ and hg for distinct A and B or distinct u and v. Likewise, if A is a formula of the form D/fi and 
M is a natural number, we define a corresponding modal Herbrand function so that each modal 
Herbrand function is for some A and no modal Herbrand function is and for distinct A 
and B or distinct u and v. (Indexing Herbrand functions by natural numbers means that adapting a 
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Herbrand proof to respect an eigenvariable condition can be as simple as reindexing its Herbrand 
functions.) Now we have: 

Definition 13 (Herbrand typings) A Herbrand typing for the language L{CVJPh) (under a corre- 
spondence as just described) is a set S of statements, each of which takes one of two forms: 

1. fj/fJV\'. i where: ju is a Herbrand prefix and T] is a modal Herbrand term of the form T]^ (^u, . . .) 
and A is D/fi. 

2. t : p where t is a first-order Herbrand term of the form h{jj, . . .). 

A sequence of modal and first-order Herbrand terms X determines a Herbrand typing "Ex, consist- 
ing of the appropriate n/jJ^'- i for each modal Herbrand term T] that occurs in X (possibly as a 
subterm) and the appropriate h : nfor each first-order Herbrand term h that occurs in X (possibly 
as a subterm). 

Definition 14 (Typings) Suppose that E is a Herbrand typing over a language L{C\JPY^'^^\ and 
that S = {r,9\C, increasing) is a modal regime. We define the relation that E is a derived typ- 
ing /rom S with respect to S, written S,Z>E, as the smallest relation satisfying the following 
conditions: 

(K). S,E>^/v : / if/j/v : / G S. 

(r). S TZ[>fj/p: i ifJl (i) is T or S4, and jj occurs in S. 
(4). 5 , S > A'/v : i if^l^ : / G S, 5 , S > ^ : i, and Jl (/) is K4 or S4. 
(Inc). S ,Z[> fj/v : i if S , S ^n/v : j and j < i according to fA^ . 
(y). S,Z>t : pift : i^eZ. 

(/). 5 , S > ? : V ifs , S o/j/v : ifor some i and 5 , S > r : /v. 

Inspection of these rules shows that 5,S[>/j/v : i only if v and /j occur in E. Moreover, given 
these rules, an easy induction on the length of typing derivations gives that 5,Si>/j/v : i only if 
V = /jv' for some prefix v'. Thus, suppose that S , S>/j/v : i for some Herbrand typing S: each step 
in the derivation must concern some prefix of v and thus JjSvO/j/v : /. These invariants permit 
some simplifications in reasoning in the fragment L{CUP) over more expressive modal regimes 
containing other modal operators and other uses of connectives. 

These definitions allow us to describe the modal Herbrand sequent calculus precisely. This 



calculus, SCL, is given in Definition |T5[ Note that for this fragment of modal logic, it suffices 
to consider sequents of the form A — *- F, where A is a multiset of prefixed definitions (from 
D{C U Ph)^'^^^^, and T is a multiset of prefixed goals (from G{C U Ph)^^^^^- Note also that 
S ,Et> : i only if v is of the form /vv'. 
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Definition 15 (Herbrand sequent calculus) For basic first-order multi-modal Herbrand deduc- 
tions in our fragment over a regime S, we will use the sequent rules defined here, which comprise 
the system SCL. The rules consist of an axiom rule and recursive rules — each recursive rule re- 
lates a base sequent below to one or more spur sequents above; it applies to the base in virtue of 
an occurrence of a distinguished tracked, prefixed formula in the sequent; we refer to this as the 
principal expression or simply the principal of the inference. Similarly, each of the sequent rules 
introduces new expressions onto each spur, which we refer to as the side expressions of the rule. 
We will also refer to the two named expression occurrences at axioms as the principal expressions 
or principals of the axiom. Now we have: 

1. axiom — A atomic: 



2. conjunctive: 



A — *- r,A 



r,AD5^ 



A,A^^r,AD^^,4 



3. disjunctive: 



A — ^ r,A A^^,A^ A — ^ r,A A^^,^^ , 

A— ^r,AA5^ ^'^ 

A,AV^^,A^ — ^ r A,AV^^,^^ 

A,AV5^— ^^^> 

A, A D ^ A^,r A,A D — ^ r 

4. possibility — where T| is r\'^.j^{p,X) for some u: 

A — r,n,Aj ^ ^ 

5. necessity — subject to the side condition S ,'Zv>l^/lJ^ '■ i- 

A,a.A^,ACv— r 

A,n,A^^r 

6. existential — subject to the side condition that h is hg{iu,X) for ^ the principal of the rule 
(either 3xA or \/xA) and some u: 

A^xAM[V^£^--r ^ A r,yxA^^,A[h/x]% ^ 

A,3xA^ — r ^^^> A — r,VxA^ ^^^> 
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7. universal — subject to the side condition S , Sf i>t : /j: 

A,VM^— ^^^^ A— ^r,3M^ ^^^^ 

A 5 -proof or 5 -derivation for a sequent A — *- Pisa tree built by application of these inference 
figures (in such a way that any side conditions are met for regime S ), with instances of the axiom as 
leaves and with the sequent A — *- T at the root. A tree similarly constructed except for containing 
some arbitrary sequent 5 as a leaf is a derivation from S. 

I state the correctness theorem for this proof theory in a way that highlights the continuity with 
previous work on modal logic, particularly [ pitting, 1983p . 

Theorem 1 (Soundness and Completeness) Suppose there is an s -proof for a sequent — *- A. 
Then A is valid. Conversely, if there is no S -proof for the sequent — *- A then there is a model M 
( that respects S ) and world w such that M ,w\)/- A. 

I merely sketch a proof here, which involves simply applying the standard techniques of 
[ pitting, 1983] , pincoln and Shankar, 1994j ]. It is convenient to prove an intermediate result, using 



slightly modified sequent calculus SCE which imposes an eigenvariable condition on the possi- 
bility and existential rules — u must be new. We can show the soundness of SCE by adapting the 
arguments presented in [ pitting, 1983| , 2.3] and [ pitting and Mendelsohn, 1998] , 5.3]. Meanwhile, 



we can follow [ pitting, 1983[ ] in developing the completeness argument in terms of analytic con- 



sistency properties for the modal language. This argument can be seen as a formalization of the 
motivation for sequent calculi in the systematic search for models. Now, modal formulas may 
be satisfied only in infinite models, so the completeness theorem effectively requires us to con- 
sider infinite sequences of applications of sequent rules. In moving to infinite sets in this way, we 
must formally move from deductions, viewed as syntactic objects, to a more abstract, algebraic 
characterization of sets of modal formulas. 

We can now establish the correctness of SCL by syntactic methods, which relate SCL proofs to 
SCE proofs. Suppose F and A contains sentences of L(CONST) (labeled with the empty prefix). 
Completeness is immediate: if there is an SCE proof for F — *- A, that very proof is also an 
SCL proof of F — *- A. Conversely, the soundness theorem says that if there is an SCL proof of 
F — *- A, then there is an SCE proof for F — *- A. We establish this by simply adapting the general 
Herbrand theorem of [ pincoln and Shankar, 1994| ] to SCE. The idea behind the soundness result is 



that the structure of Herbrand terms provides enough information to reconfigure an SCL proof (by 
an inductive process of interchanges of inference, like that considered next in Section so that 
equivalents of the eigenvariable conditions are enforced. The SCL proof may then be reindexed to 
respect SCE's eigenvariable requirements. ■ 

2.4 Permutability of inference and uniform proofs 

Our syntactic methods for reasoning about derivations exploit permutability of inference — the gen- 
eral ability to transform derivations so that inferences are interchanged QKleene, 19510 . To develop 



the notion of permutability of inference, we need to make some observations about the SCL se- 
quent rules. First, the reasoning that is performed in subderivations is reasoning about subformulas 
(and vice versa). That is, in any spur sequent, the occurrence of the principal expression and the 
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side expression all correspond to — or as we shall say, are based in — the occurrence of the prin- 
cipal expression in the base sequent. Likewise, each of the remaining expressions in the spur are 
based in an occurrence of an identical expression in the base. Here, as in [ [Kleene, 195 1| ], we are 



assuming an analysis of each inference to specify this correspondence in the case where the same 
expression has multiple occurrences in the base or in a spur. Thus, our proof techniques, where 
they involve copying derivations, sometimes involve (implicit) reanalyses of inferences. 

Now, in any derivation, the spur of one inference serves as the base for an adjacent inference 
or an axiom. We can therefore associate any tracked prefixed formula occurrence E in any sequent 
in the derivation with the occurrence in the root (or end-sequent) which E is based in. A similar 
notion can relate inferences, as follows. Suppose O is the inference at the root of a (sub)derivation, 
and L is another inference in the (sub)derivation. Then L is based in an expression E in the spur of 
O if the principal expression of L is based in L is based in O itself if £ is a side expression of 
O. An important special case is that of an axiom based in an inference O. In effect, such an axiom 
marks a contribution that inference O contributes to completing the deduction. 

To define interchanges of inference, we appeal to the two basic operations of contraction and 
weakening, which we cast as transformations on proofs. (In other proof systems, contraction and 
weakening may be introduced as explicit structural rules.) 

Lemma 1 (Weakening) Let © be an SCL proof, let Ao be a finite multiset of tracked prefixed 
definitions and let Tq be a finite multiset of tracked prefixed goals ( in the same language as 'D ). 
Denote by Aq + Q +rQ a derivation exactly like O, except that where any node in T) carries 
A — *- r, the corresponding node in Aq + © + Fq carries A, Aq — *" F, Fq. (When Aq or Fq is 
empty, we drop the corresponding +from the notation.) Then Aq + © + Fq is also an SCL proof. 



Lemma 2 (Contraction) Let CD be an SCL proof whose root carries A — *- Y,E,E. Then we can 
construct an SCL proof T) ' whose root carries A — *- F, E, whose height is at most the height of 
T) and where there is a one-to-one correspondence (also preserving order of inferences) that takes 
any inference of 'D' to an inference with the same principal and side expressions in (D . We can 
likewise transform an SCL proof (D whose root carries A,E,E — *- F into an SCL proof CD ' whose 
root carries A,E — *" F. 

These lemmas follow from straightforward induction on the structure of derivations. These con- 
sequences continue to hold, suitably adapted, for the intermediate proof systems that we will con- 
struct from SCL in later sections. 

Now consider two adjacent inferences in a derivation, a base inference R and an inference S 
(whose base is a spur of R). \f S is not based in R, we may replace the derivation rooted at the 
base of i? by a new derivation of the same end- sequent in which S applies at the root, R applies 
adjacent, and the remaining subderivations are copied from the original derivation (but possibly 
weakened to reflect the availability of additional logical premises). Performing such a replacement 
constitutes an interchange of rules R and S and demonstrates the permutability of R over 5; see 



[ |Kleene, 1951D . SCL is formulated so that any such pair of inferences may be exchanged in this 
way. 

We also observe that we can correctly introduce an abbreviation for goal occurrences of 
□; (A D 5) by a single formula (A >,■ B) and the consolidation of corresponding inferences □,) 
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and {-->-d) into a single figure (^>/), while retaining unrestricted interchange of inference. Again 
when the inference applies to principal A^, the figure is formulated using r\ for r\'^{/j,X) as: 

We will refer to the calculus using {^>i) in place of □,) and (^d) as SCLI, and consider 
SCLI in the sequel. 

QMiller, 1994| , [Miller, 19"96| ] uses Definition |l6|to characterize abstract logic programming lan- 



guages. 

Definition 16 A cut-free sequent proof (D is uniform if for for every subproof (D' of (D and for 
every non-atomic formula occurrence B in the right-hand side of the end-sequent of Ti' there is a 
proof "D " that is equal to (D' up to a permutation of inferences and is such that the base inference 
in T)" introduces the top-level logical connective ofB. 



Definition 17 A logic with a sequent calculus proof system is an abstract logic programming lan- 
guage if restricting to uniform proofs does not lose completeness. 

It is easy to show that the sequent calculi SCL and SCLI are abstract logic programming languages 
in this sense. In fact, by this definition every SCL or SCLI derivation is uniform. 

To anticipate our analysis of permutability in later sections, let us introduce the notion of an 
eager derivation in SCL or SCLI. 

Definition 18 Consider a derivation (D containing a right inference R that applies to principal E. 
R is delayed exactly when there is a subderivation T)' of (D where: (D ' contains R; T) ' has a left 
inference L at the root; and the principal E ofR is based in an occurrence ofE in the end-sequent 
ofD'. 

Consider this schematic diagram of such a subderivation 




On an intuitive conception of a sequent proof as a record of proof search constructed from root 
upwards, R is delayed in that we have waited in © to apply R until after consulting the program by 
applying L, when we might have applied R earlier. Thus, we will also say in the circumstances of 
Definition [T^ that R is delayed with respect to L. 

Definition 19 (D is eager exactly when it contains no delayed applications of right rules. 

By transforming any derivation © into an eager derivation T)' by permutations of inferences, we 
make it clear that reasoning about goals can always precede reasoning with program statements, 
and thereby provide a starting point for further analysis of goal-directed proof search. 
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Theorem 2 Any SCL( I) derivation (D is equal to an eager derivation (D' up to permutations of 
inferences. 



The proof follows [JKleene, 1951|, Theorem 2]. A double induction transforms each derivation 



into an eager one; the inner induction rectifies the final rule of a derivation whose subderivations 
are eager by an interchange of inferences (and induction) QKleene, 195 1|, Lemma 10]; the outer 



one rectifies a derivation by rectifying the furthest violation from the root (and induction). See 
Appendix^ ■ 

3 Modular goal-directed proof search 

3.1 Overview 

Eager derivations do not make a satisfactory specification for goal-directed proof in a logic pro- 
gramming sense, because they do not embody a particularly directed search strategy. For one thing, 
eager derivations are free to work in parallel on different disjuncts of a goal using different program 
statements; in logic programming we want segments in which a single program statement and a 
single goal is in force. Moreover, eager derivations can reuse work across separate case analyses; 
in logic programming we want blocks where particular cases are investigated separately. Finally, 
because of their classical formulation, eager derivations do not enforce or exploit any modularity 
in their underlying logic. Our task is to remedy these faults of eager derivations. 

Our result takes the form of an alternative sequent calculus SCLP which is equivalent to SCL. 
SCLP enforces a strictly goal-directed proof search through the structure of its inferences. First, 
SCLP sequents take the form 

r;[/— ^y;A 

We understand Y to specify the global program and A to specify the global restart goals; both are 
multisets of tracked, prefixed formulas. U is at most one tracked, prefix formula, representing the 
current program statement; V is at most one tracked, prefixed formula, representing the current 
goal. 

Logical rules apply only to the current program statement and the current goal. In addition, if 
there is a current program statement U then the current goal V must be an atomic formula. Thus, 
the interpreter first breaks the goal down into its components. Once an atomic goal is derived, 
the program is consulted; the selected program statement is decomposed and matched against the 
current goal by applicable logical rules. The form of the (d— figure ensures that the interpreter 
continues to work on at most one goal at any time; this gives SCLP proofs their segment structure. 
Meanwhile, the form of the (V — *>) figures specify no current goal in its second case. The new 
current goal can then be chosen flexibly from possible restart goals. This gives SCLP proofs their 
block structure. 



The new inferences are presented in Definition |2^ and |2T]. Definition ^ shows the rules for 



decomposing program statements; Definition pT| shows the rules for decomposing goals. 

Definition 20 (Logic programming calculus — programs) The following inference figures de- 
scribe the logic programming sequent calculus SCLP as it applies to program statements. 



1. axiom — A atomic: 



r;A^— ^A^A 
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2. decision (program consultation) — again A atomic: 



3. conjunctive: 



r;P^--^A];;A 



4. disjunctive: 



5. implication: 



r;/^^A]:;A r,6^;— ^;A ^, 
r^PV^^=^A^iA 

r;j2^— ^A]:;A r,P^;— ^;A 
r;PV(2^ — ^A^ 

r; — ^ 6^;A r;/^— ^A^:;A 



6. necessity — subject to the side condition that there is a typing derivation S ,'Zv>i^/iJ>^ '. i: 

r,n,p^^A]:';A°'-^ 

7. existential — subject to the side condition that h is h^p{n^X) for some u: 

T;P[h/x])^,^A\-A 
r;3jc.P^ — ^AjyA~ 

<S. universal — subject to the side condition that there is a typing derivation J , S,^^ > f : 

r^p[?A]£^--A^ 



Definition 21 (Logic programming calculus — goals) The following inference figures describe 
the logic programming sequent calculus SCLP as it applies to goals. 



1. restart: 

n *- G^;G^, A 
r;— ^;G^,A 



restart 
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2. conjunctive goals: 



3. disjunctive goals: 



r;^F^;A r;— ^G^;A 
r;— ^FAG^ 

rv-^;A 



A 



r;— ^FVG^;A 



rv— 



r;— ^FVG^;A 

4. necessary goals — where x\ is V[\{[j,X) for the principal of the rule and for some u for 
which T]^ does not occur in A or T: 

r;— ^F>rG^;A ^ 

p ^ ■ a 

r;^n,G^;A ^ 

5. universal goals — subject to the side condition that h is for some u: 

r;^G[Vx]^,,;A 
r;— ^ VxG^;A~^^ 

(5. existential goals — subject to the side condition that there is a typing derivation S , S^^^o f : /u: 

r;^G[t/x]l-A 
r;— ^ 3xG^;A~^^ 



Inspection of the figures of Definitions EO and El] reveals the following generalization of mod 



ularity and locality: in any derivation, the label of the current program statement must be a prefix 
of the label of the current goal. Moreover, goal labels are always extended with novel symbols, 
because of the eigenvariable condition in the (— >^ □) figure. Inductively, these facts determine a 
strong invariant — consider a block beginning with a restart inference whose spur is 

r;^G^;A 

and consider any expression Fy in P. If /j is not a prefix of v, then /j will not be a prefix of the label 
of any goal formula in the block. Thus Py cannot be used in the block. (Compare [ [Stone, 19"99| , 
Lemma 2].) 

This is why the (restart) rule of SCLP can be made modular, so that it limits the work that 
is reanalyzed to the scope of the ambiguity just introduced. We must simply show that the new 



disjunct will contribute to its restart goal. In particular, define canceled blocks as in Definition |23|. 
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Definition 22 (Linked) An expression E in a sequent in an SCLU derivation CD is linked // the 
principal formula of an axiom in the same block ofT) as that sequent is based in E. An inference 
R is linked in (D if some side expression ofR is linked in each spur ofR. A derivation or block is 
linked iff all of the inferences in it are linked. 

Definition 23 (Canceled) A block is canceled if it contains the root of'D, or if the side expression 
E of the (V ^) inference whose spur is the root of the block is linked. 

Thus a canceled block includes a use of any disjunctive case introduced in the block. The key fact 
about SCLP is that it suffices to consider only canceled blocks in proof search. 

Theorem 3 Let T and A be multisets of tracked prefixed expression in which each formula is 
tracked by the empty set and prefixed by the empty prefix. There is a proof of T — *- A in SCL 
exactly when there is a proof of T; — A in SCLP in which every block is canceled. 

The discussion of the following subsections represents an outline of the proof of this result. The 
strategy is to transform eager proofs from SCL to SCLP by a series of refinements of sequent rules 
that make the logic programming strategy explicit. We give force to the idea that the interpreter 



has a current goal and current program statement, in Section |3]^. Then we create blocks for case 
analysis, in Section P3| Finally, we enforce modularity, in Section P^ . See also Appendix 0. 

Figure |] shows how the proof of Figure |5| is recast in SCLP. Figure ^ extends Figure |^ to make 
the bookkeeping of goal-directed proof explicit. In Figure ||, the informal underline of Figure ^ is 
gone, and instead the current goal and the current program statement are displayed at distinguished 
positions in sequents. New (restart) and (decide) inferences mark the consideration of new goals 
and new program statements. Of course, the logical content of the two inferences is identical. 
Applying Definition ^ block |T] is canceled because it contains the root; there is no new disjunct 



IS 



to discharge here. Block is canceled: the inference whose spur is the root of block 
the (V — and its side expression is an occurrence of B, the new disjunct in the block. This 
occurrence is linked in the block because of the leftmost axiom . . . ;5 — *- B\F which is based in 
it; the inference (V — is linked in the block for the same reason. Similarly block 7!_ is canceled 
because the new disjunct C (the side expression of the (V — >^) inference whose spur is the root of 
block 



2' 



) contributes to the leftmost axiom . . . ;C — *- C,F in the block. 

Figure shows how the proof of Figure ^ is recast in SCLP. The most dramatic change here 
is that the inferences of Figure ^ are segmented out into three blocks. Another change is the 
discipline of explicit scope; we introduce a suitable term a to represent the generic context in 
which we prove OA and another suitable term (3 to represent the generic context in which we prove 
□C. Correspondingly, we transition to a in using □(AV5) and transition to |3 in using □(CVD). 
In the (restarts) of [s] and 6 the changes interact. In [s] we pick the modular restart A^ in order to 



permit a contribution by the new assumption 5". In [6] we pick the modular restart in order to 
permit a contribution by the new assumption D^. 



3.2 Segment structure 

Our first task is to formalize goal-directed search that directs attention to a single goal at a time. To 
distinguish such goals, we begin with a trick that for now is purely formal — introducing an articu- 
lated SCLI. We represent assumptions as a pair IT; F with IT encoding the global program and F en- 
coding local program statements; eventually local statements will be processed only in the current 
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2' 



C-F 
■C;F 



(decide) 



F;F 



C,...;C^F 



F;F 



CDF.C. 



F;F 



AV B,C\/ D,Ad F,C D F,{B AD) D F,B,C;^;F 



(decide) 

(restart) 



3' 



...;D 



D-F 



2' 



B-F 



...■,C\JD 



D;F 



B,...;- 



B-F 



(decide)- 



CVD,...;- 



D-F 



CVD,B,.. 



BAD-,F 



(V 

(decide) 

A) 



c\/d,b,...-,{bad)df 



F-,F 



CyD,{BAD)DF,B,...-,^F-,F 



AV B,CV D,A D F,C D F,{B AD) D F,B-,^-,F 



(decide) 
(restart) 



■A-,F 



3' 



...;A VB 



■A;F 



A VB, 



■A;F 



(V 
■ (decide) 



AVB,...;A dF 



F-,F 



A\/B,Ad F,...-,^>- F-,F 



|Y| AV5,CVD,Ad7^,CdF,(5AD) dF;— 



(decide) 
(restart) 



Figure 6: The SCLP presentation of the proof of Figure ^ 



segment and then discarded. (Compare the similar notation and treatment from QGirard, 19930 .) 
Similarly, we represent goals as a pair A; 0, with encoding the restart goals and A encoding the 
local goals; ultimately, we will also describe inference rules which will discard A between seg- 
ments. With this representation, principal formulas of logical rules are local formulas, in F or A; 
so are the side formulas — with these exceptions: the (— > □) and (^>) rules augment n instead of 
F (when they add a new program statement) and instead of A (when they add new restart goals). 

New (decide) and (restart) rules keep this change general; they allow a global formula — a 
program statement or restart goal — to be selected and added to the local state. 



n,A^;F,A^ 



A;0 



n,A^;F— ^ A^ 



(decide) 



n;F 



A,G^;0,G^ 



n;F 



A;0,G^ 



(restart) 



Lemma 3 (Articulation) Every SCLI deduction can be converted into an articulated SCLI deduc- 
tion with an end-sequent of the form Ti ; — *-;0 in such a way that if the initial derivation is eager 
then so is the resulting derivation (and vice versa). 
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(decide) 



^^^^ 

B«,...;n(BDA) — ^A«;..: ^° 

□(BDA),B«;^A«;... ^'^^'''^^^ 

g □(A VB), □(« D A), □(C VD), 0(0 D C),S«; — ^;A«, (GA) A (DC) '^'■^^^^^ 

...;DP^dP;... 

(decide) 

n{DDC),D^;^C^;... ^^^""'^^^ 

^ □(AVB),n(BDA),n(CVD),n(DDC),Dl^;— •-;C^(□A)A(□C) (""^^^^t) 



...;A«^A«;... 0^ ^. . . ;CP ^ CP; . . . ^ , 

....^VB«-^A«;... (V ...;CVDP^cP;... 

...;n(AVB) — ^A«;... ^° . . . ; □(C VD) — ^ C^; . . . " ^° 

□ (AVg),...;^A«;... (decide) □(c vD), . . . ; ^ C^; . . . ^^""^"^ 



□ (AVS),...;— ^ DA;... ^ ^ □(C VD), . . . ; — ^ DC; . . . 
□ (AVS),n(CVD),...;— ^ (DA) A (DC)" 
g □(AVB),n(BDA),n(CVD),n(DDC);— ^;(nA)A(ncr~ ^""^^^"^^^ 

Figure 7: The SCLP presentation of the proof of Figure 0. We suppress tracking of formulas and 
hide the internal structure of Herbrand terms. 

Proof. Straightforward structural induction. ■ 

The next step is to introduce an inference figure (d^^) that imposes a segment structure on 
derivations, thus: 

n;— ^A^,A;0 n;r,A D ^^,4 — ^ A;0 

n;r,AD5^ — ^ A;0 > 



Definition 24 (Segment) A segment in a derivation T) is a maximal tree of contiguous inferences 
in which the left subtree of any (d^"^) inference is omitted. 

The distinctive feature of the (d— figure is that the local results inferred from the program are 
discarded in the subderivation where the new goal is introduced. In an eager derivation, this will 
begin a new segment where first the new goal will be considered and then a new program statement 
will be selected to establish that goal. 
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We will define two calculi using (d^^). The first, SCLS, eliminates the (d^) inference of 
the articulated SCLI and instead has (d^'^). The second, SCLV, is a calculus like the articulated 
SCLI but also allows (d^"^); (d^) and (d^"^) can appear anywhere in an SCLV derivation. We 
introduce SCLV to facilitate the incremental transformation of articulated SCLI proofs into SCLS 
proofs. 

Lemma 4 An eager articulated SCLI derivation whose end-sequent is of the form 

n;^A;0 

can be transformed to an eager SCLS derivation of the same end-sequent. 

Proof. We proceed with an inductive construction that eliminates (d— inferences in favor of 
{'D^^) inferences one at a time. See Appendix |B.1| . ■ 

3.3 Block structure 

We now revise how we perform case analysis from assumptions. We introduce new rules where all 
local work is discarded in the subderivation written on the right. This corresponds to a sequent of 
the form 11; — 0. In addition, some global work may be discarded in the right subderivation; this 
helps clarify the structure of derivations. Accordingly, there may be additional formula occurrences 
n' and 0' in the base sequent that are not copied up to the right subderivation. Finally, the right 
subderivation may address either the (textually) first disjunct or the second disjunct. This leads to 
the two inference figures below. 

n,n^;r,AV^^,A^ — ^ A;0,0^ n,^^;— ^;0 ^ 

n,n';r,AV5^— ^ A;0,0^ 
n,n^;r,AV^^,^^ — ^ A;0,0^ n,A^;— ^;0 ^ 

n,n';r,AV5/'— ^ A;0,0^ 

We call these inferences blocking (V ^) inferences, or (V inferences. We will appeal to 
two calculi in which these inferences appear. The first, SCLU, permits both ordinary (V —^) and 
(V inferences, without restriction. SCLU is convenient for describing transformations be- 
tween proofs. The second, SCLB, permits (V inferences but not ordinary (V inferences. 

Blocks are more than just boundaries in the proof; they provide a locus for enforcing modular- 
ity. We will ensure that a disjunct contributes inferences to the new block where it is introduced. 
Thanks to this contribution, we can narrow down the choice of goals to restart in a modular way. 

This result is made possible only by maintaining the right structure as we introduce (V 
inferences. We use path prefixes to make explicit connections between program statements and any 
goals that they help establish. The key notions are spanning, simplicity and balance for sequents. 
Spanned, simple and balanced sequents represent a consistent evolution of the state of proof search, 
which records a full set of restart goals and the corresponding assumptions, with no redundancy. 

Definition 25 (Carrier) The carrier of a non-empty Herbrand prefix ijcc\ is ifr\ is y\\^,g{iJi,X) 
and otherwise, whenr\ riQ ,^(/j,X), isA^^. 
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Definition 26 (Spanned) Say one multiset of tracked prefixed formulas, IT, is spanned by another, 

0, if for every expression occurrence in Tl and every non-empty prefix V ofjj there is an occur- 
rence of the carrier ofv in 0. It is easy to see there is a minimal set that spans IT and that such 
spans itself A sequent Ti,T — ^ A;0 is spanned if TV is spanned by 0, T is spanned by 0, A 
is spanned by and is spanned by 0. A derivation or block is spanned if every sequent in it is 
spanned. 

Definition 27 (Simple) A multiset ^ is simple if no expression occurs multiple times in a 
sequent of the form IT; F — *- A; is simple ifli and are simple. A derivation or block is simple 
ijf every sequent in it is simple. 

Definition 28 (Balanced) A pair of multisets of tracked, prefixed formulas 0, balanced if 

• for any r\ = rig^.(^(/j,X), r\ occurs in exactly when the expression occurs in IT and 
exactly when the expression occurs in 0; and 

• for any T| = Tj^^ r\ occurs in exactly when the expression ^ occurs in 0. 

A sequent IT; F — A; is balanced if the pair Yl,® is balanced. A block or derivation is balanced 
if every sequent in the block is balanced. 

We use the notion of an isolated block to obtain an even stronger characterization of proof 
search that proceeds in a well-regimented way. In an isolated block, the only expressions preserved 
across a blocking inference are those that are in some sense intrinsic to the restart problem created 
by that inference. Specifically, each nested block must begin with the same end-sequent as the 
outer block, except for additional program statements that have to be added in order to introduce 
the newly-assumed disjunct, and the further goal and program statements required to obtain a 
balanced and spanned sequent. 

Definition 29 (Isolated) Let 2) be an SCLU derivation, and let 'B be a block of 2? . Write the end- 
sequent of 'B as Yl\T — A; and consider the right subproof of some (V -^^) inference L at the 
boundary ofB has an end-sequent of the form n',^; — *-;0'. The exported expressions in Ti', Ti'^, 
consist of the occurrences of expressions F in IV such that either is F based in an occurrence of 
F in n or is based in an occurrence ofF as the side expression of an inference in which E is also 
based. 

H is isolated if the right subproof of each (V inference L at the boundary of B has an 
end-sequent of the form n',^; — »";0' meeting the following conditions: E is the side-expression 
ofL; 0' is the minimal multiset of expressions which spans FEgjE, and includes 0; and FT' is the 
smallest multiset including Il'g,Efor which FT', 0' is balanced. 2> is isolated iff^ every block of 2> is 
isolated. 

Isolation allows us to keep close tabs on the uses of formulas within blocks, which is important 
for establishing modularity later. In particular, isolation provides a key notion in formalizing the 
obvious fact that an inference that makes no contribution to an SCLU derivation can be omitted. 
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Finally at this stage, we refine the form of proofs which we are willing to count as goal-directed. 
Now it will often happen that, while each block of a derivation may be eager, the derivation as a 
whole will not be eager. As observed in [ [Nadathur and Loveland, 1995| ], derivations with blocks 
can nevertheless be seen as eager throughout by reconstructing the (restart) rule as backchaining 
against the negation of a subgoal. But we will simply consider blockwise eager derivations from 
now on. 

Definition 30 (Blockwise delayed) R is blockwise delayed exactly when there is a tree of con- 
tiguous inferences within a single block of (D where: T)' contains R; (D' has a left inference L 
at the root; and the principal E ofR is based in an occurrence ofE in the end-sequent ofT)'. 



Definition 31 (Blockwise eager) D is blockwise eager exactly when it contains no blockwise de- 
layed applications of right rules. 

Obviously, we can use weakening to transform an SCLB or SCLU derivation into a SCLS 
derivation, so the blocking inference figures are sound. The completeness of SCLB is a conse- 
quence of Lemma 

Lemma 5 We are given a blockwise eager SCLS derivation (D whose end-sequent is spanned and 
balanced and takes the form: 

n;^;0 

We transform T) into a blockwise eager SCLB derivation in which every block is canceled, linked, 
isolated, simple, balanced and spanned. 

Proof. We can transform individual blocks to achieve a streamlined form, which already implicitly 
reflects the logic programming search strategy of focused search on particular goals and program 
statements. By pursuing a suitable ordering strategy as we inductively repeat this inductive trans- 
formation, we can create the desired SCLB proofs with an overall modular block structure. See 
Appendix |B.2| . ■ 



3.4 Modularity 

We now derive SCLP from SCLB. SCLP proofs can be rewritten to SCLB rules by a weakening 
transformation. Conversely, rewriting SCLB proofs to SCLP proofs is accomplished by induction 
on the structure of proofs. The transformation is possible because multiple formulas in sequents 
are needed only for passing ambiguities and work done across branches in the search; this is ruled 
out by the use of (V ), (V ^f) and (d^"^). 

Lemma 6 Given a blockwise eager SCLB derivation (D, with end- sequent 

n;— 

in which every block is linked, simple and spanned, we can construct a corresponding SCLP 
derivation of the same end- sequent in which every block remains linked. 



Proof. By induction on the structure of proofs. See Appendix ^3 



32 



DISJUNCTION AND MODULAR PROOF SEARCH 



4 Assessment and conclusions 

To execute modal specifications requires leveraging both the flexibility of efficient classical 
theorem-proving and the distinctive modularity of modal logic. This is a significant problem be- 
cause the two are at odds. On the one hand, flexible search strategies impose no constraints on 
the relationships among inferences. By ignoring modularity, they can leave open inappropriate 
possibilities for search. On the other hand, brute-force modular systems may place such strong 
constraints on the order in which search must proceed that it becomes impossible to guide that 
search in a predictable, goal-directed way. In this paper, we have explored one strategy for bal- 
ancing the flexibility of classical goal-directed search with the modularity of modal logic. This 
strategy culminates in the development of a modular logic programming sequent calculus SCLP. 



OS tone, 1998b| ] describes a preliminary implementation of proof search in SCLP as a logic pro- 



gramming interpreter DIALUP. I close by summarizing how (Section |0| ) and no less importantly 



why (Section I developed this implementation. 



4.1 Implementation 

An effective implementation of SCLP requires further treatments of unification and search control. 

In general, to implement first-order sequent calculus proof search, we must lift the inference 
figures. That is, we adapt the inferences that require instantiation to specific terms so that they 
introduce logic variables instead. As we construct the proof, we accumulate constraints on the 
values of these variables — for example, we get constraints when an axiom link in the proof re- 
quires two formulas to be identical. In the lifted system, each proof we find represents the set of 
ground proofs that you get by replacing the variables with values that satisfy the constraints. Lift- 
ing is the essence of the resolution procedure [ [Robinson, 19650 but can be regarded as a general 



metatheoretical strategy. [ [Lincoln and Shankar, 1994 [Voronkov, 1996D offer particularly general 



discussions of this strategy at its most sophisticated. 

For first-order modal inference in prefixed calculi, lifting introduces two kinds of logic vari- 
ables, and two corresponding kinds of constraints. First-order quantifiers introduce logic vari- 
ables over individuals, subject to the familiar constraints that give rise to term unification prob- 
lems. Modal inferences, meanwhile, introduce logic variables over prefixes, subject to path 
equations. This leads to specialized problems of equational unification; good solutions are 
known for the general setting of multi-modal logic; see for example QAuffray and Enj albert, 1992 , 
Pebart et al.rTW^ [Dtten and Kreitz, [Schmidt, 1998D . 



The logical fragment of SCLP makes path equations particularly simple. Inspection of the 
SCLP proof rules shows that, at any point in proof search, we have enough path constraints to 
determine ground substitutions for all the path variables in the sequent except possibly for variables 
in the current program statement that are about to be unified with a goal. In many cases, this makes 
path equations easy to solve — a compact representation of all possible solutions can be computed 
in polynomial time. The details are beyond the scope of this paper, but see [ [Stone, 1998b[ ]. 



Search control is the other issue. An implementation has to make commitments about what 
statements to try and what rules to use to process those statements. The fact that SCLP program 
and goal statements are labeled with ground prefixes means that we can easily test that a statement's 
label is a prefix of the goal label before attempting to match the statement and the goal. We can 
also identify an atomic subformula of the statement nondeterministically as the head, and commit 
to match that head with the goal. Before doing so, we can for example test that the head and the 
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goal share the same predicate symbol. 

In the case of disjunction, we also want to make sure that we avoid reporting duplicate proofs, 
despite the duplicate rules for disjunction that we have. Loveland considers a number of heuristics 
for this QLoveland, 1991| ], and we expect that they apply in SCLP as well as in Near- Horn Prolog. 



But here is another heuristic. As motivated in Section [T.1.3| , (V —>-r) is required only for cancel- 
lation. When we use it, we expect to cancel an assumption (like B in Figure ^ that could not be 
canceled otherwise. We can make this precise: (V ^r) should only be used in a restart block, and 
the assumption that is canceled in that block ought not to be used in the subsequent restart block 
initiated by the (V ^r) inference. Otherwise, we will independently construct an alternative proof 
that uses (V instead. Naturally, the kind of block analysis illustrated in the proof of Theorem ^ 
can be used to show that this restriction is complete. 

4.2 Applications in modal representation 

In classical logic, indefinite information is a bit exotic. Rather than developing an indefinite spec- 
ification, we much prefer to collect the additional information required to describe the world in a 
precise, definite way. This is not true at all with modal specifications. Modal specifications get 
much of their interest from their ability to contrast different perspectives or sources of information. 
What one source of information represents with specific, definite information, another source rep- 
resents with abstract, indefinite information. Computation from modal specifications involves the 
coordinated exchange of information between these sources. 

In particular, problems of planning [ [Stone, 1998a| ] and problems of communication 



QStone, 2OOO0 depend on indefinite modal specifications. In planning, one agent, the sched- 



uler, has to allocate a task to another agent, the executive. (The executive may just be the 
scheduler at a later point in time!) It is unrealistic to expect that the scheduler will know ex- 
actly what the executive will do; this almost certainly requires information that is not avail- 
able to the scheduler. Rather, the scheduler should merely know what the executive can 
do. This means that, to be useful, the scheduler must have an indefinite modal specification 
that abstractly describes the information that will be available to the executive. For exam- 
ples, see QMoore, 1985| , [Morgenstem, 1987| , [Scherl and Levesque, 1993| , pavis, 199^ as well as 



PStone, 1998^ ] 



In communication, the task of one agent, the speaker, is to formulate an utterance that allows 
another agent, the hearer, to answer a question. There are many cases where the speaker does not 
have enough information to answer the question directly. However, the speaker can still design an 
utterance that allows the hearer to infer the right answer, because the hearer knows something the 
speaker does not. Concretely, a user of a computer interface might want to know what action to 
take next. The right answer might be for the user to type jdoe into a certain text box. The speaker 
might know to say enter your user ID, even if the speaker does not know what the user ID is. Again, 
the speaker can make such choices meaningfully only from an indefinite modal specification that 
says what the hearer knows abstractly but not definitely. See QStone, 2000| ] for a worked-out formal 
case study. 

A Proof of Theorem § 

Any SCL(I) derivation (D is equal to an eager derivation 'D' up to permutations of inferences. 
The proof depends on a generalization of delayed inferences, which we can term misplaced 
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inferences since we intend to eliminate them. We assume an overall derivation !D , and consider a 
right inference R that applies to principal E within some subderivation 2)' of © . 

Definition 32 We say a right inference R is right-based on an inference R' in T> ifR = R'orR is 

based on R' and every inference on which R is based above and including R' is a right inference. 
Then R is misplaced in n' exactly when there are inferences M and R' in (D' such that, in T), M is 
based on an inference L, R is right-based on R', and R' is delayed with respect to L. 

In this case we will also say R is misplaced with respect to M. We can abstract a key case of 
misplaced inferences by the following schematic derivation: 



This schematic derivation shows informally how misplaced inferences help provide an inductive 
characterization of the inferences that stand in the way of obtaining an eager derivation. In an eager 
derivation, it will be impossible for R to appear above L. For R' cannot be delayed with respect 
to L, but once R' and L are interchanged, we will obtain a new delayed inference that R is based 
in, until finally we must interchange L and R. Of course, to do this, we must first interchange R 
with the misplaced inferences, such as M, which stand between R and L and cannot themselves be 
interchanged with L because they are based in L. 

Observe that the relation R is misplaced with respect to M is asymmetrical. To see this, suppose 
R is misplaced with respect to M. By definition, R is right-based on R' which is delayed with respect 
to a left inference L on which M is based. Meanwhile, for M to be misplaced with respect to R, 
by definition, we must have M right-based on M' and R based in some left rule Lr. Any such 
M' would have to be based in L since no left inferences intervene between M and M'; M' must 
thus appear inside a schematic like that above. At the same time, since no left inferences intervene 
between R and R' , R' would have to be based in any such Lr, which must thus appear outside such a 
schematic, closer to the root of the overall derivation. Accordingly, any such Lr must occur closer 
to the root of © than L; meanwhile the principal of M' is introduced further from the root than L. 
So we will not have M' delayed with respect to Lr. 

Call R badly misplaced in if 7? is misplaced with respect to M and M occurs closer to the 
root than R. A subderivation © ' with no badly misplaced inferences will be called good. An overall 
good derivation is also eager, since any delayed inference is badly misplaced. 

We can now present the proof in full using a lemma. 

Lemma 7 Consider a subderivation (O'ofan overall derivation (D, with the property that (D' has 
good immediate subderivations and that 'D' ends in inference M. From T>' we can construct a 
derivation with the same end-sequent that is good. 

Proof. The assumption that the immediate subderivations of 2)' are good is a very powerful one. 
For suppose that some inference is badly misplaced with respect to some other in 2)'. Then we can 



R 



Right inferences ai 
ences R not based in 
R' delayed wrt L 
(M based in L) 
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only have some rule R badly misplaced with respect to M — anything else would contradict that 
assumption. 

In fact, we can show that some such R must be adjacent to M. Consider an inference S that 
intervenes between R and M: we will show that S must be badly misplaced with respect to M too. 
By the definition of misplaced, M is based on some left rule L in D, R is right-based on R', and 
R' is delayed with respect to L. Now consider the inferences that S is based on above L. If any 
of these is a left inference L', or S is itself a left inference, then R is also misplaced with respect 
to S — indeed, badly misplaced. This contradicts the assumption that the subderivations of CD' are 
good. So none of these inferences can be a left inference, which means 5 is a right inference that is 
right-based on some inference S' above L. S' must be delayed with respect to L. Hence S is badly 
misplaced with respect to M. 

Now we can proceed after [ [Kleene, 195 1| , Lemma 10]. Define the grade of as the number of 
badly misplaced inferences in CD'. We show by induction on the grade that can be transformed 
to a good one. 

The base case is a derivation of grade 0. This case has itself good. Thus, suppose the lemma 
holds for derivations of grade g, and consider of grade ^+1. By the argument just given, one 
immediate subderivation — call it T)" — must end with an inference R which is badly misplaced 
with respect to M. Such an R of course cannot be based in M, so we interchange inferences R and 
M. In the result, the subderivation(s) ending in M satisfy the condition of the lemma with grade g 
or less. By applying the induction hypothesis, we can replace these subderivations with good ones. 
By asymmetry, M is not now badly misplaced with respect to R, nor can any of the other inferences 
be badly misplaced with respect to R, since they were not so in the original derivation. It follows 
that the result is a good derivation. ■ 

Now, continuing the proof of Theorem 0, define the reluctance of CD to be the number of 
rule applications R such that the subderivation CDr oi CD rooted in R is not good. We proceed by 
induction on reluctance. If reluctance is zero, © is itself good. 

Now suppose the theorem holds for derivations of reluctance d, and consider © of reluctance 
d+\. Since 'D is finite, there must be a highest inference R such that some inference is badly 
misplaced with respect to R in the subderivation CDr rooted at R. This 'Dr satisfies the condition of 
Lemma ^ Therefore this 'Dr can be replaced with a corresponding eager derivation, giving a new 
derivation of smaller reluctance. The induction hypothesis then shows that the resulting derivation 
can be made eager. ■ 



B Proof of Theorem g 

Let r and A be multisets of tracked prefixed expressions in which each formula is tracked by the 
empty set and prefixed by the empty prefix. There is a proof of T — *- A in SCL exactly when there 
is a proof of T; — A in SCLP in which every block is canceled. 

Proof. As observed already in Section there is an SCL proof of T — *" A exactly when 
there is an SCLI proof of F — *- A. By Theorem || of Section there is an SCLI proof of F — *- A 
exactly when there is an eager SCLI proof of F — *- A. By Lemma |^, there is an eager SCLI proof 
of F — *- A exactly when there is an eager articulated SCLI proof of F; — *- ; A. And by Lemma ^ 
there is an eager articulated SCLI proof of F; — A exactly when there is an eager SCLS proof of 
r;^;A. 

Continuing through the argument. By the Contraction Lemma, we may assume without loss of 
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generality that F; — ^; A is a simple sequent. We know from its lack of prefixes that the sequent 
F; — A is also spanned and balanced. By Lemma ^ of Section |B.2.3| , then, there is an eager 



SCLS proof of F; — >- ; A exactly when there is a blockwise eager SCLB derivation of F; — *" ; A in 
which every block is canceled, linked, isolated, simple, balanced and spanned. And by Lemma ^ 
there is a blockwise eager SCLB derivation of F; — *- ; A in which every block is canceled, linked, 
isolated, simple, balanced and spanned exactly when there is an SCLP derivation of F; — A in 
which every inference is linked. And if every inference is linked, every block is canceled. ■ 

B. 1 Proof of Lemma ^ 

We show in this section that an articulated SCLI proof with end-sequent FI; — corresponds 
to an SCLS proof with end-sequent FI; — *-;0, and vice versa. In fact, to transform SCLS to 
articulated SCLI we have a simple structural induction which replaces (d^'^) with (d^) using 
the weakening lemma; the soundness of SCLS over SCLI then follows by Lemma |^. Thus, here 
we are primarily concerned with completeness of a new sequent inference figure. 

The use of {'D^^) in eager derivations ensures that the processing of each new goal refers 
directly to global program statements. To formalize this idea, we introduce the notion of a. fresh 
inference. 

Definition 33 (Fresh) Let (D be an SCLV derivation. An inference R in (D is fresh exactly when 
R is a right inference and the path from R to the root never follows the left spur of any (d— 
inference. 



Lemma 8 Let T) be an eager SCLV derivation with an end-sequent of the form 

n;-^A;0 

and consider a subderivation T)' of T) rooted in a fresh inference R 
also has the form 

n';^ A';0' 

for some IT', A' and &'. 

Proof. Suppose otherwise, and consider a maximal whose end-sequent contains a non-empty 
multiset of local statements F. We can describe equivalently as the subderivation of (D that is 
rooted in a lowest fresh inference R when the end-sequent of (D contains some local statements. R 
cannot be the first inference of ©, so there must be an inference 5 in © immediately below R. If S 
is a left rule, then the fact that (D is eager leads to a contradiction. R must be based in S, or else R 
will be delayed. This means S is an implication inference; but given that R is fresh, R must appear 
along the branch of (d— without local statements. Meanwhile, if 5 is a right rule, it follows 
from the formulation of the rules that if the end-sequent of has non-empty local statements 
then the end-sequent of must also. This contradicts the assumption that R is first. ■ 

Now we proceed with the proof of Lemma ^. We assume an eager SCLV derivation (D with 
such an end-sequent; we show that we can transform it into an eager SCLS derivation with the 
same end-sequent. The proof is by induction on the number of occurrences of (d^) inferences in 
2). 



. Then the end-sequent of (D 



DISJUNCTION AND MODULAR PROOF SEARCH 



37 



In the base case, there are no (d^) inferences and ©' is just © . 

Suppose the claim holds for derivations where (d^) is used fewer than n times, and suppose 
© is a derivation in which (d^) is used n times. Choose an inference L of (d— with no other 
(d^) inference closer to the root of 2); we must rewrite the left subderivation at L to match the 
(d^"^) inference figure. We distinguish a subderivation d' of D as a function of L and draw 
on the inferences in ©'to replace this subderivation — in particular, we identify d' as the largest 
subderivation of © containing L but no right inferences or segment boundaries below L. 

Using Lemma |[ we develop a schema of CD' thus: 

n; r, A D fi^ ^ A^ ,A;0 n;r,A D ^ A;0 ^ 

!n;r,AD5^ — ^ A;0 
: 
n;^A;0 

(Segment boundary or right rule) 

We suppose L applies to an expression A D 5^; the left subderivation of L, 'D^ adds the goal A; 
the right, CD^, uses the assumption B. The subderivation of d' from the end-sequent of L abstracts 
the left inferences performed elsewhere in this segment (and any subgoals that these inferences 
trigger). We notate this tree of inferences 'D^. By Lemma ^ d' ends with a sequent of the form 
ri; — *- A; 0. Because of the form of the intervening rules, we have the same succedent A; at L, 
as well as the same global statements IT. 

We use to construct an eager SCLS derivation Jl corresponding to (D^; we will substitute 
the result for the left subtree at L to revise L to fit the (d^^) figure. In outline, the derivation we 
aim for is an eager SCLS version of: 

The problem is that if is rooted in a right inference to A, we will not obtain an eager derivation 
when we reassemble L. The SCLS derivation we use is actually constructed by recursion on the 
structure of T)^, applying this kind of transformation at appropriate junctures. At each stage, we 
call the subderivation of T)^ we are considering CD'^. 

For the base case, this subderivation is an axiom, and we construct this subderivation as a result. 
If (D'^ ends in a right rule, the construction proceeds inductively by constructing corresponding 
subderivations and recombining them by the same right rule. With a right inference here, the 
resulting derivation must be eager since the subderivations are eager. 

If 'D'^ ends in a left inference, the construction is not inductive. We observe that d'^ has an 
end- sequent of the form 

n,n';— ^ A,A';0,0' 

(The inventory of expressions can only be expanded, and that only in certain places, as we follow 
right inferences to reach 'D''^.) So we first weaken by the needed additional expressions — IT' 
on the left and A' (locally) and 0' (globally) on the right; then we identify the open leaf in with 
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© , obtaining a larger derivation ©/ defined as: 

n' + ©'^+A^+A';0' 

Any delayed inference in ©/ would in fact be delayed in 'D'^, so this is an eager derivation. The 

result has, moreover, fewer than n (d— inferences, since it omits at least L from Then the 

induction hypothesis applies to give the needed SCLS derivation Si . 

Given the derivation SA so constructed, we substitute SI for T)^ in (D . The result iD* is an eager 

derivation; ©* contains an {'D^^) inference corresponding to L and therefore contains fewer than 

n uses of (d^) . The induction hypothesis applies to transform © * to the needed overall derivation. 
■ 

B.2 Proof of Lemma^ 

B.2.1 Replacing Herbrand terms 

To begin, it is convenient to observe that the use of indexed Herbrand terms allows us to rename 
Herbrand terms in a proof under certain conditions. 

Lemma 9 (Substitution) Let T) he an SCLU derivation with end-sequent 

n;— 

in which no Herbrand terms or Herbrand prefixes appear; consider a spanned simple subderiva- 
tion (D ' in which a modal Herbrand function T]^ occurs in some sequent, but does not occur in the 
end-sequent. Let T]^ be a Herbrand function that does not occur in (D. Then we can construct a 
proof T) * containing corresponding inferences in a corresponding order to (D but in which Her- 
brand terms and Herbrand prefixes are adjusted so that V[\ is used in place ofV[\ precisely in the 
subderivation corresponding to (D ' . 

The proof is by induction on the structure of derivations. A complex substitution may be required, 
because the Herbrand calculus may require not only the replacement of r[\ itself but also the 
replacement of Herbrand terms that depend indirectly on T]^. It is convenient to begin by replacing 
any first-order Herbrand term not introduced by a (3 — or (— > V) inference by a distinguished 
constant cq — starting with leaves of the derivation and working downward. This replacement is 
to ensure that each first-order and modal Herbrand term in © is determined from an expression in 
the end-sequent of 2) by a finite number of steps of inference. We continue with the systematic 
replacement of and its dependents. In both cases, the form of (D ensures that a finite substitution 
can systematically rename all these Herbrand terms as required. We use the fact that each sequent 
is simple and spanned to extend this substitution inductively upward. Because each sequent is 
spanned the substitution does not need to be extended at (□ —^) inferences; because each sequent 
is simple the substitution can be extended freshly at □) and (^>) inferences. Finally, the form 
of first-order Herbrand terms ensures that a finite extension of the substitution suffices for (— > 3) 
and (V —^) inferences. ■. 
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B.2.2 Rectifying blocks 

The transformation of individual blocks appeals to the following definition of required elements 
of proofs. 

Definition 34 (Required) Given a derivation 2) with end-sequent 

n;r— ^ A;0 

we say that an expression occurrence E in or IT is required iff either it is linked or some block 
in 2> is adjacent to the root block and has an end-sequent 

n';^;0' 

in which H' or &' contains an expression occurrence based in E. 

Lemma 10 (Rectification) We are given a blockwise eager SCLU derivation T) such that: every 
block in T) is canceled and isolated; every block in T) other than the root is spanned, linked, bal- 
anced and simple; and the end-sequent of (D is balanced. We transform (D to an SCLU derivation 
T>' in which every block is canceled, linked, isolated, balanced and simple and every block other 
than the root is spanned. Every block in f ' other than the root block is identical to a block of T); 
and the inferences in the root block of T) correspond to inferences in the same order in "D ( and so 
(D' is blockwise eager). If the end-sequent of(D is spanned then is spanned and isolated. 

Proof. We describe a transformation that establishes the following inductive property given 2) . 
There are simple multisets YIm ^ H and @m ^ 0, together with multisets F' C F and A' C A such 
that: any 0' that spans FI^^ includes 0m ; and for any simple FI' with YIm ^ H' C n and any simple 
0' with 0' C such that FI' and 0' are spanned by 0' and the pair FI', 0' is balanced, there is a 2)' 
in which every block is canceled, linked, balanced, balanced and simple, with end-sequent: 

n';r' — ^ A';0' 

In this 2)', each expression in F' is linked; each expression in A' is linked; each FIm expression 
that occurs in FI' is required and each 0m expression that occurs in 0' is linked. Every block in 
2)' other than the root block is identical to a block of 2? ; and the inferences in the root block of (D 
correspond to inferences in the same order in 2) . Finally, if F' and A' are spanned by 0' then 2) ' is 
spanned; if 2) is linked then 2) ' contains all the axioms of 2) . 
At axioms, for 2> of 

n;F,A^^— ^A^,A;0 

Hm and 0m are empty, while F' = and A' = A^. Assume we are given simple FI' from FI and 
simple 0' from with FI' and 0' spanned by 0'. We construct 2»' of 

n';A^^A^;0' 

If A^ is spanned by 0', this axiom is spanned too; the remaining conditions are immediate. 
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At inferences, consider as a representative case (V — >). © ends: 



2>1 

n;r,AV5^,A^ — ^ A;0 



©2 

n;r,AV^^,^^ — ^ A;0 



n;r,AV5^ 



A;0 



The blocks of 2)i and ©2 either contain the root or are blocks from (D ; the Herbrand prefixes in the 
end-sequents of ©1 and ©2 occur with the same distribution as in ©. Therefore we can apply the 
induction hypothesis to get ITmi, ©mi, T'^ and Aj for ; we can apply it to get Umi, ®m2, ^2 
A2 for ©2. To transform © itself, we perform case analysis on T\ and Fj. 

If Y\ does not contain an occurrence of A^, then Hm = n^i, 0^ = ®m\, T' = T'^ and A' = Aj; 
©J suffices to carry through the induction hypothesis. 

Similarly, if T'2 does not contain an occurrence of B^^, then IIm = ^m2, ®m — ®m2, T' = T'2 
and A' = A2; 'D2 suffices to carry through the induction hypothesis. 

Otherwise, we will set up Tl^ — Umi unM2 and ®m = ©mi U &m2 (as sets); by the inductive 
characterization of Umi, ^m2, ©mi and &m2, any ©' that spans both 11^2 and 11^2 includes both 
©Ml and ©M2- We also set up T' as the multiset containing at least one occurrence of A and 
as many expression occurrences of any expression as either are found in r[\A'^ or are found in 
r2\5^; we set up A' as the multiset containing as many expression occurrences of any expression 
as are found in either Aj or A2. 

To continue, we now consider simple Tl' from n and simple ©' from © such that Umi ^ 
n', 11^2 ^ n', n' and ©' are spanned by ©', and the pair n', ©' is balanced. We know that ©' 
includes ©m- We can apply the inductive property to transform ©i and ©2 into derivations with 
the inductive property: 



We weaken the lowest block of on the left by the expressions in r+ and not already in T' and 
on the right by the expressions in A"*" and not already in A', giving D^. We similarly weaken the 
lowest block of ©2 on the left by the expressions in r+ and not already in r2 and on the right by 
the expressions in A"*" and not already in A2, giving ©2^. Only the lowest blocks are affected by the 
weakening transformations, so other blocks remain canceled, linked, spanned, isolated and simple; 
the lowest block in each case remains canceled. The lowest blocks also remain linked since no 
inferences are added; and they remain simple (and balanced) because no weakening occurs in the 
global areas. Construct (D' as 



n';r; — ^ a;;©' 



n';r^ — ^ A^;©' 



n';r+,A^— ^A+;©' 




n^r+,^ — A+;©^ 




n';r+ — ^ A"^W 



The end-sequent is simple and balanced so the root block is simple and balanced; the inference is 
linked since and 5^ are linked in the subderivations, so the root block is linked. The root block 
remains canceled as always. 
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Any IIm expression is required here because it is required either in 2) j" in virtue of its mem- 
bership in Umi or in (D2 in virtue of its membership in Umi', hkewise any ©m expression is Hnked 
here because it is Unked either in in virtue of its membership in 0^1 or in D2 in virtue of 
its membership in &m2- Thus, except for the spanning conditional, we have shown everything we 
need of this 2>'. 

Finally, then, if T' and A' is spanned by 0', Aj and Aj are spanned by 0' and r[ and r'2 are 
spanned by 0' in the resulting (spanned) subderivations 2>( and This shows that the end- 
sequent of 2)' is also spanned, so itself is spanned. 

This reasoning is representative of the construction required also for (A — >), (3 — >), (V — >), 
(— > a), (— > V), (— > 3), (— > V), (decide) and (restart). It applies also for (d— with the obvious 
caveat that we do not weaken the left subderivation to match local left expressions, since the form 
of the (d— inference requires there to be none. 

Next we have (V -^^); we consider the representative case of (V ). 2) ends: 

2)1 2)2 
no,n;r,AV^^,A^ ^A;0o,0 Dq,^;— ^00 
no,n;r,AV55^— ^A;0o,0 

We treat this specially to respect the block boundary before 2)2. In particular, we apply the in- 
duction hypothesis to Di (as we may since its end-sequent has the same distribution of Herbrand 
prefixes as does that of 2)), to get ITmi, ®mi, ^'i and A[. If does not occur in r[, we let 
IIm = TImi, 0m = 0mi, = r[ and A' = any derivation 2)( constructed from appropriate IT' 
and 0' suffices to carry through the induction hypothesis. 

Otherwise, we get Hm = Hmi U ITeo (as a set), 0m = 0mi ; any 0' that spans Hm also spans 
ITmi and so includes @m- A' = Aj and T' contains r[ with the occurrence of removed, together 
with an occurrence of A V 5^ if r[ does not already contain such an expression. 

Assume simple 11' with Um C IT' C IT and simple 0' with 0' C with n' and 0' spanned by 
0' and the pair IT', 0' balanced. As before, we must have &m included in 0'. We therefore obtain 
2)( by the inductive property; we then weaken 2)| locally within the lowest block by A on the 
left if necessary, to obtain a good derivation 2)j . 

The needed 2)' is now constructed as: 

2)f 2)2 

mr,A^— ^A;0; no,B^;— ^00 
n';r — ^ A;"©' 

We first argue that the construction instantiates the (V — >f ) inference rule. Every Herbrand prefix 
in IToe and 5^ occurs in IT' or T', so Iloe and fi^ are spanned by 0'. But because the root block in 2) 

is isolated, Iloe and are spanned minimally by 0o. Thus 0o C 0'. Iloe C 11^ by construction; 
by isolation Ilo is the smallest set such that the pair of no,0o is balanced. But since n',0' is 
balanced, Ilo ^ n'. 

Now we show that 2)' so constructed has the needed properties. The end-sequent is simple and 
balanced so the root block is simple and balanced. The inference is linked: A^ is linked in 2) ( by 
the induction hypothesis; 5^ is linked in 2)2 because 2)2 begins a new block which by assumption 
is canceled. The root block remains canceled as always. Any 11^ expression is required here 
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because either a corresponding expression Iloe in the new block at the left subderivation is based 

on it, or because it is required in ©{. Every ©m is linked because it is linked in . 

Finally, if T' and A' are spanned by 0', then A[ and Fj are spanned by 0j . The new subderiva- 
tion 'D[ is therefore spanned by the inductive property; this ensures that the overall derivation is 
spanned. 

Next consider (□—>). D ends: 

©1 

n;r,D,A^,A^^^,^A;0 
n;r, D/A^— ^A;0 

As always, we apply the induction hypothesis to ©i (as we may since the Herbrand prefixes on FI 
and formulas remain the same) to obtain Flyi^i, &mu^\ and A'^. If A^'^^y does not occur in Fj, we 
let IIm — T^Mi, 0M = 0Mi> r' = r'l and A' = A^; any subderivation obtained by the inductive 
property suffices to witness the inductive property for 2) . 

Otherwise we obtain T' by extending Fj by the principal expression n/A^ if necessary and 
eliminating the side expression A^^^^; IIm = ^Mi, 0m = 0mi and A' = A'^. (Since these are 
common to the subderivation, any 11' that spans 11^ includes 0m-) Now we consider FI' with 
Hm ^ n' C n and 0' with 0' C 0, FI' and 0' spanned by 0' and the pair n',0' balanced. As 
always, we have @m Q 0'- We obtain 'D[ using n' and 0', and weaken the lowest block by local 
formulas; calling the result (D^, we can produce f' by the following construction: 

n';r' — ^ A';0' 

Everything is largely as before. The key new reasoning comes when we assume that F' and A' 
are spanned by 0'. We must argue that F',A^^^y is in fact spanned by 0'. Since A^^^^ is linked 

in CD^, there must be an axiom in this block which is based in A^^^^; indeed, since the expression 
occurs as a local antecedent, this axiom must occur within the segment. This axiom must pair 
expressions prefixed by a path where /jV is a prefix of But because 2)' remains blockwise 
eager, no inferences apply to A' or 0' formulas within the segment (nor can they in this fragment 
augment the A' or 0' formulas within the segment); therefore some A' expression is associated 
with Herbrand prefix /u'. But since A' is spanned by 0', we have that every prefix of ju' is associated 
with some 0' expression; so every prefix of /JV is associated with some 0' expression. Thus T)^ is 
spanned and in turn ©' is spanned. 

We have one last representative class of inferences in (D: {-^ □) and (^>). We illustrate with 
the case where 2) ends in (— >^>): 



©1 

n,A^.„;F — ^ A.A >, B^-.Q.B'^. 
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We begin by applying the induction hypothesis to ©i (as we can, given the symmetric extension 

of n and by labeled expressions). We obtain ©mi, Hmi, and A^; we consider alternative 
cases in response to and @mi- First we suppose ^ 0. It follows by our assumption about 
© that ^ n either, nor does r\ occur in 0. For this case, we start by defining an overall Dm 
and &M- 0M is 0mi with any occurrence of B'^^ eliminated; TIm is n^i with any occurrence of 
eliminated. IIm contains no occurrences of /jr], since n does not; thus given the inductive 
property of 0mi and n^i, any 0' that spans Hm spans &m- We define F' and A' so that F' = F^ 
and A' contains Aj together with an occurrence of A >; 5^, provided A'^ does not already contain 
one and e ©mi or A^^ e FImi. So, assume we are given simple FT' with FIm C FI' C n and 
simple 0' with 0' C (and so 0m Q 0') such that FT' and 0' are spanned by 0' and the pair FI', 0' 
is balanced. 

We consider whether B'^^ e 0mi or A^^ e FImi. If neither, we apply the induction hypoth- 
esis to ©1 for the case that 0^ is 0' and Il[ is FI'. The resulting derivation T>[ serves as 

Otherwise, ^xVi ^ -^x^/jt] ^ ^mi; we apply the inductive property of ©i for the case 

that 0'i is ©',5^^ and n[ is n',A^^ (clearly U[ and 0'^ are spanned by 0'i assuming FI' and 0' 
are spanned by 0'; the pair FI'^ , 0'^ is also balanced given its symmetric extension). If e 0mi, 

by the inductive property it is linked. If A^^^ G TIm i, it is required, but we shall show that it is in 
fact linked. By the definition of being required, the other possibility is that there is a block adjacent 
to the root block of (D[ with end- sequent 

n",E;^@" 

in which the (V — >^) inference R that bounds the block is based in E and IT", E or 0" contains an 
expression occurrence based in A^^. But since the original block is isolated in the original ©, it 

is E that must be based in A^^ . But then R is based in A^^ and R is linked: in particular its side 
expression in the left spur) must be linked; so A^^ is linked too. 

Thus we can weaken T)[ in its lowest block if necessary by A >i 5^ as a local right formula 
(in F), producing T>^; remains good by the same argument as the earlier cases. Thus we can 



construct 2)' as: 



^^A^^;r-^A^A>,^^;0^^^ 
n';r — ^ A';0' 

The end-sequent here is simple and balanced, so the whole root block is simple and balanced. 
The new inference is linked (in virtue of the linked occurrence of one side expression — A^^ or 

5^^) so the whole root block is linked. The root block is of course canceled. Each element of 
TTm is required because it is an element of TTmi and required in the immediate subderivation; each 
element of 0m is linked, because it is an element of 0mi and therefore linked in the immediate 
subderivation. 

To conclude the case, suppose the end-sequent of 'D is spanned and that F' and A' are spanned 
by 0'; it follows that same property applies to so the subderivation is spanned. Then the end- 
sequent must also be spanned. 
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The alternative case has B'^^ G 0. By assumption, it also has ^^Vl ^ therefore define 

an overall Um and ©m directly as TTmi and 0m i, respectively; similarly T' = r[ and A' = A[. To 
construct the needed T)' for appropriate IT' and 0', we simply apply the induction hypothesis to 
CD I for the case that 0'^ is 0' and Il[ is n'. The resulting derivation CD[ suffices. 

Having completed the induction, we argue that we can obtain an overall (D' that is isolated, 
assuming the original CD is not only isolated but spanned. Apply the inductive result to CD for the 
case n' = n and 0' = 0; since F' C F and A' C A we obtain a spanned derivation d' ending 

n;F' — ^ A';0 

Consider the end-sequent of any block other than the root in CD'; it is 

Uo,E; — ^;0o 

where a corresponding block occurs in © . I argue by contradiction that for any F eHq either 
F G n or F is based in an occurrence of F as the side expression of an inference in in which 
E is also based. (This will show that is isolated.) So consider an exceptional F. Since © is 
isolated, if F ^ FI, F is based in an occurrence of F as the side expression of an inference in © in 
which E is also based; this inference introduces some path symbol r\ which occurs in the label of 
F and E. In cd', E can not be based in such an inference; otherwise F would also be based in that 
inference, since is simple. (We have assumed that F is not based in such an inference.) But in 
this case the expression in the end-sequent of on which E is based must contain r\. Because the 
end-sequent of 2) ' is spanned the form of FI and is constrained in 2) , F must occur in FI. This is 
absurd. ■ 

We conclude Section p.2.2| by observing some facts about this construction. First, let be a 



derivation obtained by the construction of Lemma [T^, and suppose is weakened (in a spanned 
and balanced way) to by adding occurrences of global expressions that either already occur in 
the end-sequent of 2) ' or never occur as global expressions in 2)'. Then a straightforward induction 
shows that 2)' is obtained again from T)" by the construction of Lemma [T^ 

Second, observe that if 2)' is a derivation obtained by the construction of Lemma [1^, and 2)" 



is obtained from 2?" by the renaming of Herbrand prefixes (as in Lemma |^), then straightforward 
induction shows that 2)" is obtained again from cd" by the construction of Lemma p^. 

Third, let £>' be a derivation for which the construction of Lemma [l^ yields itself. Let v be a 
prefix and let the n;0 be the smallest balanced pair where contains all the carriers of prefixes 
of V introduced in 2)'. Suppose each expression in FI and has the property that at most one 
inference of CD' has an occurrence of that expression as a side expression. Consider a derivation 
cd" obtained from CD' by weakening globally by FI (on the left) and by (on the right). Let CD* he 
the result of applying the construction of Lemma [10 to T)". Then 2)* contains any subderivation 



of 2)' whose end- sequent contains FI and as global formulas. Again this is a straightforward 
induction; the base case considers a subderivation of cd' whose end-sequent contains FI and as 
global formulas; in this case we apply the first observation. Unary inferences extend the claim 
immediately. At binary inferences, one subderivation must be unchanged, by the first observation: 
since FI and are introduced on a unique path, each FI and formula never occurs or already 
occurs in the end-sequent in that subderivation. Thus the other subderivation necessarily appears 
in the derivation obtained by the construction of Lemma [1^ . 
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B.2.3 Block conversion 

We now have the background required to perform the conversion to block structure, and complete 
the proof of Lemma ^. 

We are given a blockwise eager SCLS derivation (D whose end-sequent is spanned and bal- 
anced and takes the form: 

n;^;0 

We can transform (D into a blockwise eager SCLB derivation in which every block is canceled, 
linked, isolated, simple, balanced and spanned. 

Proof. Our induction hypothesis is stronger than the lemma. We assume a blockwise eager 
SCLU derivation 2) with end- sequent of the form 

n;^;0 

in which every block is canceled, linked, isolated, simple, balanced and spanned, such that that 
the subproof rooted at any (V —^) inference in (D is an SCLS derivation. And we identify a dis- 
tinguished expression occurrence E in the end-sequent of 2) which is linked. By Lemma [l^, it 
is straightforward to obtain such a derivation from the SCLS derivation (containing only a single 
block) that we have assumed. We transform 2) into a blockwise eager SCLB derivation in which 
every block is canceled, linked, isolated, simple, balanced and spanned and in which E is also 
linked; we perform induction on the number of (V —^) inferences in 2) . 

In the base case there are no (V — inferences, so 2) itself is an SCLB derivation. 

In the inductive case, we assume 2) with n (V — >) inferences, and assume the hypothesis true 
for derivations with fewer. We find an application L of (V —^) with no other closer to the root of 
2) . We will transform 2) to eliminate L. 

Let ©' denote the smallest subderivation of © containing the full block of 2) in which L oc- 
curs. Explicitly, d' may be D itself; otherwise, is rooted at the right subderivation of the 
highest (V -^^) inference below L — an inference we will refer to as H. In either case, our assump- 
tions allow us to identify a distinguished linked expression F in the end-sequent of either the 
assumed E from 2), or the side expression of the inference H (assumed canceled). Suppose A V5y 
is the principal of L. We can apply Lemma ^ to rename A V 5^ to A V 5^ in such a way that each 
symbol in /j that is introduced in 2) ' is introduced by a unique inference there. Now we can infer 
the following schema for 

no,F,n;r,AV^^,A^ — ^ A;0o,0 no,F,n;r,A V^^,^^ — ^ A;0o,0 

no,F,n;r,AV5^ — ^ A;0;^ ^ 
2)^ 

no,F;— ^;0o 

That is, the subderivation of below L is2)^; the right subderivation above L (in which B is 
assumed) is (D^; the left is 'D^. 

We will use the inferences from to construct alternative smaller derivations in place of 
(D^ and 2)^. By 0', indicate the minimal set of formulas required in addition to 0o to span A^; 
by n' indicate the minimal set of formulas required in addition to Hq^F and A^ to ensure that 
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the pair given by no,n',F,A^ and 0o,0' is balanced. (This is well-defined because the sequent 
no,F — *- 00 is already spanned and balanced.) Now we can construct two new subderivations 
'D'^ and T)'^ given respectively as follows: 



n'+A^ + !Z)'^ + 0' 
no,F, n, n',A^;r, A V 5^,A^ — ^ A; 00, 0, 0' 



decide 



decide 



no,F,n,n',A^;r,AV5^ — ^ A;0o,0,0^ 

n'+A^ + ©^+0' 

no,F,n',A^;^;0o,0' 

[n'+5^ + ©^+0'] 
^o,F,^,^^^^;^,^v^^,^^— ^^;Qo^Q>Q' 

no,F,n,n',5^;r,5V5^ — ^ A;0o,0,0^ 

n'+B^ + ©-^+0' 

no,F,n',5^;^;0o,0' 

That is, we weaken T)^ and by global versions of the side expression of inference L throughout 
their lowest blocks; we apply a (decide) inference to obtain a new subderivation to substitute for 
the subderivation rooted at L in D^. We weaken by sufficient additional formulas globally in the 
lowest blocks to ensure that the end-sequents of these derivations are balanced and spanned. 

Since we have changed only the lowest block here, and have ensured that this block remains 
isolated and canceled, we can now apply Lemma [T^ to obtain corresponding derivations Tif and 
(of in which every block is canceled, linked, isolated, simple, balanced and spanned. In light 
of our first observation about the construction of Lemma [1^, we can see that the inferences of 
(D^ are preserved up to the new (decide) inference. And in light of our third observation about 
the construction of Lemma |l^ given the unique inferences introducing 0o and Do, this (decide) 
inference must be preserved in 'Df. Thus is linked in 'Df and for analogous reasons 5^ is 
linked in 'Df . These derivations satisfy the induction hypothesis as deductions with fewer than 
n (V —^) inferences; we can apply the induction hypothesis with and 5^ as the distinguished 
linked formulas to preserve. This results in SCLB derivations Si and S with the same end-sequents 
as T)'^ and in which every block is canceled, linked, isolated, simple and spanned, and in 
which respectively A^ and 5^ are linked. 

We need only one of S^ and ® to reconstruct ©' using blocking inferences. For example, we 
obtain a proof using (V ) by using S in place of as schematized below: 



D' 



no,F,n;r,AV5^' A^ ^ A;0o,0 



no,F,n'X^0o,0' 



no,F,n;r,AV5^ — ^ A;0o,0 



V 



no,F;— ^;0o 



In a complementary way, we obtain a proof using (V — *^|) by using ^ in place of Ti^ as schematized 
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below: 



no,F,n;r,AV^^,^^^A;Qo,Q 



no,F,n'X- 



©0,0' 



no,F,n;r,AV5^ — ^ A;0o,"0" 



V 



no,i^; 



■;0o 



Note that the root block is isolated in both cases, because we have added only as many formulas 
to n' and 0' as are necessary to obtain a balanced, spanned sequent; the remaining expressions 
originate in the end-sequent of the previous block, which we know was isolated. Thus, in both 
cases, we have blockwise eager derivations in which every block is canceled, isolated, simple, 
balanced and spanned, in which fewer than n (V — >) inferences are used, and in which only the 
root block may fail to be linked. We thus need to apply the construction of Lemma [TOI again 
to ensure that the root block is linked. It is possible for the distinguished occurrence of F not 
to be linked in one of the resulting derivations, but not both. To see this, consider applying the 
construction of Lemma to (D' itself, as a test: the result will be d' since is linked. Starting 
from CD^ and and axioms elsewhere, each inference in corresponds to an inference in the 
alternative derivations schematized above. We can argue by straightforward induction that no 
formula is linked in the reconstructed unless it is also linked in the one of the corresponding 
reconstructed alternative derivations. And F is linked m(D'. 

Call the derivation in which F is linked we substitute for d' in (D . Since F remains 
linked in CD", when we do so, we obtain a blockwise eager SCLU derivation with an appropriate 
end-sequent, with fewer original (V — inferences, and in which every block remains canceled, 
linked, isolated, simple, balanced and spanned, and in which (V — inferences lie at the root 
of SCLS derivations. Applying the induction hypothesis to the result gives the required SCLB 
derivation. ■ 



B.3 Proof of Lemma^ 

We are given a blockwise eager SCLB derivation (D, with end-sequent 

n;r— ^ A;0 

in which every block is linked, simple and spanned. We construct an SCLP derivation 2?' of which 
four additional properties hold: 

• the end-sequent of'V' takes the form 

n;r — ^ A';0 

with r' C r and A' C A; 

• 'D ' contains in each segment or block all and only the axioms of the corresponding segment 
or block ofT); 
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• whenever contains a sequent of the form 

n*;r ^F;0* 

F is the only right formula on which an axiom in that block is based; and 

• whenever contains a sequent of the form 

n*;F^A*;0* 

then F is the only left formula on which an axiom in that segment is based. 
In the base case, (D is 

n;r,A^^5^,A;0 

and (D' is 

Supposing the claim true for proofs of height h, consider a proof with height h+\. We consider 
cases for the different rules with which (D could end. 

The treatment of A) is representative of the case analysis for the right rules other than 
(^>). © ends 

n;— ^A^,AA^^,A;0 D; — ^ ^^,A A^^, A;0 

n;— ^AA55^;A^ 

(It is a consequence of Lemma |] that in the initial derivation there is an empty local area.) We 
simply apply the induction hypotheses to the immediate subderivations. If the resulting derivations 
end with (restart), consider the immediate subderivation of the results, otherwise consider the 
results themselves. These derivations end 

n;— ^C;0 
n;— ^D;0 

We must have C = A; we know from the structure of that A is linked, and A could not be linked 
in © unless C = A since (D' shows that all of the axioms in © derive from C. For the same reason 
D = B. So we can combine the resulting proofs by an A) inference to give the needed 'D'. 
The case of (^>) proceeds similarly, but relies on an additional observation. © ends 

©1 

n;— ^A,A>,5^;0 

We apply the induction hypothesis to ©i and eliminate any final (restart) inference. This gives us 
a derivation 2)| of 

If we know that the 5-side expression of this inference is linked in this block, then we can conclude, 
as before, that E is an occurrence of the expression 5^^. We show this as follows. We know from 
the structure of CD only that one of the A -expression and the 5-expression must be linked. However, 
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it is straightforward to show that no left expression A'^^ is linked in an SCLP derivation with a 
local goal Cy unless /jT] is a prefix of v. (The argument is a straightforward variant for example 
of [ [Stone, 1999| , Lemma 2].) Since © is simple and spanned, r\ must be new; is the only 

expression whose associated path term has /jT] as a prefix. 
Thus, we construct T)' using an SCLP inference as 

n;— ^A>;5^i0 

Now suppose © ends in a left rule other than (d— or (V — We take (A — as a repre- 
sentative case; then © is: 

2?i 

n;r,AA^,A^,^^^A;Q 
n;r,AA5^ — ^ A;0 

Apply the induction hypothesis to ©i. If the result ends in a (decide) inference, let be the im- 
mediate subderivation of the result; otherwise let d[ be the result itself. ©J is an SCLP derivation 
with an end-sequent of the form: 

n;£— ^F;0 

E must be a side expression of the inference in question, here (A ^); otherwise the corresponding 
inference could not have been linked in CD . One of the inference figures (A and {A ^r) must 
apply depending on which side expression E is. For concrete illustration, we suppose E isA'^; then 
we construct ©'as: 

©; 



n;AA5^ — ^F;0^ 



Next, we suppose D ends in (d^^), as follows: 

©1 ©2 

n;— ^A^,A;0 n;r,A D — ^ A;0 ^ 

n;r,ADB^ — ^ A;0 

We begin by applying the induction hypothesis to the subderivation CDi. After stripping off any 
(restart), we obtain an SCLP derivation ©i with end- sequent 

n;— ^C;0 

By the usual linking argument, the expression C must be identical to A^. We then apply the 
induction hypothesis also to the right subderivation. Again, after stripping off any (decide), we get 
an SCLP derivation ©2 with end- sequent 

n;D— ^£;0 

By the usual linking argument, D must in fact be identical to 5^. Thus we obtain the needed 
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by combining the two derivations by the SCLP (d— >) rule: 

©J 

n;— ^A^;0 n;^^— ^£;0 
Finally, for (V -^^), we consider the representative case of (D as schematized below: 

n;r,A^— ^A;0 ^;0^ ^ 

n;r,AVfi^ — ^ A;0 

We begin by applying the induction hypothesis to ©i, the subderivation in the current block; if 
necessary, we strip off any initial (decide) inference, obtaining 'D[ with an end-sequent that by 
linking takes the form: 

n;A^ — ^£;0 

Next, we apply the induction hypothesis to the other subderivation. Since both local areas are 
empty in the input subderivation, they remain empty in the result subderivation: this gives ©2 with 
end-sequent: 

n'X;— ^;0' 

The two subderivations can be recombined by the SCLP (V inference to obtain the needed 
©': 

n;A^— »-£;0 n^^^;— »^;0^ 
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